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Preface 



This volume contains the proceedings of the 15th International Conference on 
Rewriting Techniques and Applications (RTA 2004), which was held June 2- 
5, 2004, at the RWTH Aachen in Germany. RTA is the major forum for the 
presentation of research on all aspects of rewriting. Previous RTA conferences 
took place in Dijon (1985), Bordeaux (1987), Chapel Hill (1989), Como (1991), 
Montreal (1993), Kaiserslautern (1995), Rutgers (1996), Sitges (1997), Tsukuba 
(1998), Trento (1999), Norwich (2000), Utrecht (2001), Copenhagen (2002), and 
Valencia (2003). 

The program committee selected 19 papers for presentation, including five 
system descriptions, from a total of 43 submissions. In addition, there were 
invited talks by Neil Jones, Aart Middeldorp, and Robin Milner. 

Many people helped to make RTA 2004 a success. I am grateful to the mem- 
bers of the program committee and the external referees for reviewing the sub- 
missions and maintaining the high standards of the RTA conferences. It is a great 
pleasure to thank the conference chair Jurgen Giesl and the other members of 
the local organizing committee. They were in charge of the local organization of 
all events partaking in the Federated Conference on Rewriting, Deduction, and 
Programming (RDP). Apart from RTA 2004, these events were: 

— 2nd International Workshop on Higher-Order Rewriting 
(Delia Kesner, Femke van Raamsdonk, and Joe Wells), 

— 5th International Workshop on Rule-Based Programming 
(Slim Abdennadher and Christophe Ringeissen), 

— 13th International Workshop on Functional and (Constraint) Logic Program- 
ming (Herbert Kuchen), 

~ IFIP Working Group 1.6 on Term Rewriting (Claude Kirchner), 

— 4th International Workshop on Reduction Strategies in Rewriting and Pro- 
gramming (Sergio Antoy and Yoshihito Toyama), 

— 7th International Workshop on Termination 
(Michael Codish and Aart Middeldorp). 

I thank the organizers of all these events for making RTA 2004 more attractive 
by collocating with it. Finally, I gratefully acknowledge the financial support of 
the Deutsche Forschungsgemeinschaft (DFG). 



April 2004 



Vincent van Oostrom 
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Termination Analysis of the Untyped A-Calculus 



Neil D. Jones^ and Nina Bohr^ 

^ DIKU, University of Copenhagen 
^ IT University of Copenhagen 



Abstract. An algorithm is developed that, given an untyped A-expres- 
sion, can certify that its call-by-value evaluation will terminate. It works 
by an extension of the “size-change principle” earlier applied to first- 
order programs. The algorithm is sound (and proven so in this paper) 
but not complete: some A-expressions may in fact terminate under call- 
by-value evaluation, but not be recognised as terminating. 

The intensional power of size-change termination is reasonably high: It 
certifies as terminating all primitive recursive programs, and many inter- 
esting and useful general recursive algorithms including programs with 
mutual recursion and parameter exchanges, and Colson’s “minimum” al- 
gorithm. Further, the approach allows free use of the Y combinator, and 
so can identify as terminating a substantial subset of PCF. 

The extensional power of size-change termination is the set of functions 
computable by size-change terminating programs. This lies somewhere 
between Peter’s multiple recursive functions and the class of eo-recursive 
functions. 



1 Introduction 

The size-change analysis of [5] can show termination of first-order functional 
programs whose parameter values have a well-founded size order. The method is 
reasonably general, easily automated, and does not require human invention of 
lexical or other parameter orders. This paper applies similar ideas to establish 
termination of higher- order programs. For simplicity and generality we focus on 
the simplest such language, the A-calculus. We expect that the framework can be 
naturally extended to higher-order functional programs, e.g., functional subsets 
of Scheme or ML. 

1.1 An Example of Size-Change Analysis 

Example 1. A motivating example is the size-change termination analysis of a 
first-order program, using the framework of [5]. Consider a program with func- 
tions f and g defined by mutual recursion: 

f(x,y) = if x=0 then y else 1: g(x,y,y) 

g(u,v,w) = if w=0 then 3:f(u-l,w) else 2 :g(u,v-l ,w+2) 

The three function calls have been labeled 1, 2 and 3. The “control flow graph” 
in Figure 1 shows the calling function and called function of each call, e.g., 
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Size-change graph set Q 
u ^ u 

V 2^ V 

w w 
(?2 



i 




XL 


X 


V 


y 

< 


y 





Gs 




Gl 



Control flow graph 

©4=©o^ 



Fig. 1. Call graph and size-change graphs for the example first-order program. 



3 : g — >• f . Each call is associated with a “size-change graph”, e.g., G 3 for call 3, 
that describes the data flow from the calling function’s parameters to the called 
function’s parameters. 

Termination reasoning: Consider (in order to prove it impossible) any infi- 
nite size-change graph sequence A4 = gig 2 . . . G {Gi, G 2 , Ga}^ that follows the 
program’s control flow: 

Case 1: j\4 = . . . (G 2 )“’ ends in infinitely many G 2 ’s: In this case, variable v 
descends infinitely. 

Case 2: Ai = . . . (GiG^Gs)^. In this case, variable u descends infinitely. 

Both cases are impossible (assuming, as we do, that the data value set is well- 
founded). Therefore a call of any program function with any data will terminate. 

End of example. 



1.2 Definitions and Terminology 

We describe the structure of size-change graphs and state the size-change termi- 
nation condition. 



Definition 1. 



1. 

2 . 

3. 

I 



Q 

A size-change graph A ^ B consists of a source set A; a target set B; and 
a set of labeled arcs G C Ax {=,4,} x B. If A,B are clear from context, we 

Q 

identify A ^ B with its arc set G. 

The identity size-change graph for A is A — f A where id a = {x — >■ x | x G 
A}. 

G G 

Size-change graphs A—^B and G D are composible if B = G. 

G G 

The sequential composition of size-change graphs A B and B G is 
A (j where 



Gi; G 2 — |x -4- z 
U |x — >■ z 



\. S{r, s|x^ygGi and y A z G G 2 
for some y G B} | 

{=} = {r, s I x^yGGi and y A z G G 2 
for some y G B} | 
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Q 

Lemma 1. Sequential composition is associative. A ^ B implies id a', G = 
G; ids = G. 

Definition 2. A multipath M. over a set Q of size-change graphs is a finite or 
infinite composible sequence of graphs in Q. Define 

= {M = Go, Gi, . . . I graphs Gi, Gi+i are composible for i = 0, 1, 2, . . . } 

Definition 3. 

1. A thread in a multipath Ai = Go,Gi,G2 ,... is a sequence t = aj ^ 

ttj+i ... such that Uk ^ afc+i G Gk for every k > j (and each r^ is 

= or f.) 

2. Thread t is of infinite descent if rk =4- for infinitely many k > j. 

3. A set G of size-change graphs satisfies the size-change condition if every 
A4 € G'^ contains at least one thread of infinite descent. 

The size-change condition is decidable; its worst-case complexity, as a function 
of the size of the program being analysed, is shown complete for pspace in [5]. 



The example revisited: The program of Figure 1 has three size-change graphs, 

G G 

one for each of the calls 1 : f — >■ g, 2 : g — >• g, 3 : g — >• f , so = {A — 1 B, B ^ 

B,B A} where A = {x, y} and B = {u, V, w}. (Note: the vertical layout of the 
size-change graphs in Figure 1 is inessential, though intuitively appealing. One 
could simply write, for instance, G3 = {u ^ x, w — >■ y}.) 

The termination reasoning shows that G satisfies the size-change condition: 
Every infinite multipath has either a thread that decreases u infinitely, or a 
thread that decreases v infinitely. 

2 The Call-by- Value A-Calculus 

We first summarise some standard definitions and results. 

Definition 4. Exp is the set of all X-expressions that can be formed by these 
syntax rules, where 0 is the application operator (sometimes omitted). We use 
the teletype font for X-expressions. 

e, P ::=x|e@e|Ax.e 
X : : = Variable name 

— The set of free variables fv{e) is defined in the usual way: fv(x) = {x}, 
fv{e@e') = fv{e) U fv(e') and /w(Ax.e) = fv{e) \ {x}. A closed X-expression 
e satisfies fv{e) = 0. 

— A program, usually denoted by P, is any closed X-expression. 

— The set 0/ subxpressions of a X-expression e is denoted by subexp{e). 
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The following is standard, e.g., [9]. Notation: e[w/x] (/3-reduction) is the result of 
substituting v for all free occurrences of x in e and renaming A-bound variables 
if needed to avoid capture. 

Definition 5. (Call-by-value semantics) The call-by-value evaluation relation 
is defined by the following inference rules, with judgement form e IJ. w where e is 
a X-expression and v G ValueS. ValueS (for “standard value”) is the set of all 
abstractions Ax.e. 

(ValueS) (If V G ValueS) 

V if V 

(ApplyS) ^ ^^-^0 & 2 ifv 2 ep[t: 2 /x]J)^ 
ei@G2 JJ. V 

Lemma 2. (Determinism) If e if v and e IJ. w then v = w. 

Lemma 3. If e is closed and its X-variables are all distinct, then a deduction 
of e if V involves no renaming. 

3 Challenges in Termination Analysis of the A-Calculus 

The size-change termination analysis of [5] is based on several concepts including 

1. Identifying nontermination as being caused by infinite sequences of state 
transitions. 

2. A fixed set of program control points. 

3. Observable decreases in data value sizes. 

4. Construction of one size-change graph for each function call. 

5. Finding the program’s entire control flow graph, and the call sequences that 
follow it. 

At first sight all these concepts seem to be absent from the A-calculus, except 
that an application must be a call; and even then, it is not a priori clear which 
function is being called. We will show, one step at a time, that all the concepts 
do in fact exist in call- by- value A-calculus evaluation. 

3.1 Identifying Nontermination (Challenge 1) 

We will sometimes write e IJ. to mean e IJ. for some v G ValueS , and write e if 
to mean there is no w G ValueS such that e JJ. u, i.e., if evaluation of e does not 
terminate. 

A proof of e JJ. w is a finite object, and no such proof exists if the computation 
of e fails to terminate. In order to trace an arbitrary computation, terminating 
or not, we introduce the “calls” relation e — >■ e'. The rationale is straightforward: 
e — > e' if in order to deduce e JJ. w for some value w, it is necessary first to deduce 

e' JL 

e' JJ. M for some u, i.e., some inference rule has form Applying 

e JJ. ? 

this to Definition 5 gives the following. 
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Definition 6. The call relation — >■ C Exp x Exp is ^ = _^U — where 

r d c 

are defined by the following inference rules^ . 

r d c 

(Operators) 

ei@e2 — ei 
r 

(Operands) 

ei@e2 — >■ e2 
d 

(Calls) Si 'll Ax.ep 62 IJ- V2 

ei@e2 -j. eo[w2/x] 

C 

As usual, we write for the transitive closure of and — >■* for its reflexive 

transitive closure. 



A familiar example: Call-by-value reduction of the combinator fl = (Ax.x@x)@ 
(Ay.y@y) yields an infinite call chain: 

^2 = (Ax.x@x)@(Ay.y@y) (Ay.y@y)@(Ay.y@y) (Ay.y@y)@(Ay.y@y) 

In fact, this linear-call-sequence behaviour is typical of nonterminating compu- 
tations: 

Lemma 4. {NIS, or '^ontermination Is Sequential) Let P be a program. Then 
P if if and only if there exists an infinite call chain 



P = Go -f ei 62 . 



Proof See the Appendix. □ 

Rules (Calls) and (ApplyS) have a certain overlap: 62 1 | V2 appears in both, 
as does eo[v2/x]. Thus the (Call) rule can be used as an intermediate step to 
simplify the (Apply) rule. Variations on the following combined set will be used 
in the rest of the paper: 



Definition 7. (Combined evaluate and call rules, standard semantics) 

(Values) (If V G Value) 

v if v 



(Operators) 

ei@e2 — ei 
r 



(Operands) — — 

ei@e2 — >■ G2 
d 



(Calls) 



ei U- Ax.ep 62 U- V2 
ei @62 eo[w2/x] 



(ApplyS) 



ei@62 — >■ e' e' IJ. 

C 

6i@e2 IJ- V 



^ Naming: r, d in , — >• are the last letters of operator and operand, and c in ^ 

r d c 

stands for “call”. 
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3.2 Finitely Describing the Computation Space (Challenge 2) 

An equivalent environment-based semantics addresses the lack of program control 
points. 

Definition 8. (States, values and environments) State, Value, Env are the 
smallest sets such that 

State = { e : p I s G Exp,p € Env and fv{e) C dom{p) } 

Value = { Ax.e : p \ Ax.e : p G State } 

Env = { p : X ^ Value \ X is a finite set of variables } 

The empty environment with domain X = % is written []. The evaluation judge- 
ment form is s JJ. f where s € State, v € Value. 



We follow the pattern of Definition 7, except that substitution (/3-reduction) 
eo[w 2 /x] of the (ApplyS) rule is replaced by a “lazy substitution” that just up- 
dates the environment in the (Call) rule. 



Definition 9. (Environment-based evaluation and call semantics) The evalua- 
tion and call relations JJ-, — >■ are defined by the following inference rules, where 
U U . 

r d c 



(Value) (If V £ Value) 

V i). V 



(Var) 



x; pJJ.p(x) 



(Operator) 

ei@G 2 : p ei : p 



ei : p ij. Ax.ep : pp 62 : p IJ- U2 
ei@e2 : p ^ eo : po[x !->■ 112] 

C 



(Operand) 



ei : p IJ- ui 

ei@e 2 : p — 02 : p 
d 



(Apply) 



ei@e2 ’■ p ^ e' : p' e' : p' ij v 

C 

ei@e2 ■■ p ijv 



Remark: A tighter version of these rules would “shrink-wrap” the environment 
p in a state e : p, so that dom{p) = fv{e) {rather than O). For instance, the con- 
clusion 0 / (Operator) would be^ ei@e 2 : p ei : p\fv(ei). This has no significant 

r 

effect on computations. 

Following the lines of [9], the environment-based semantics is shown equivalent 
to the standard semantics in the sense that they have the same termination 
behaviour, and when evaluation terminates the computed values are related by 
function F : Exp x Env — >■ Exp defined as 

F{e : p) = e[F(p(xi))/xi, ..., F(p(xfe))/xfc] where {xi, .., x^} = dom{p) O fv{e) 
Lemma 5. P : [] jj. v (by Definition 9) if and only if P jj- F{v) (by Definition 5). 

Proof is in the Appendix. The following is proven in the same way as Lemma 4. 

^ The restriction of p to a finite set A of variables is the environment p\A with domain 
A n dom{p) that agrees with p on this domain. 
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Lemma 6. {NIS, or '^ontermination Is Sequential) Let P be a program. Then 
P :[] if and only if there exists an infinite call chain 

P : 0 = eo : po -f ei : Pi G2 : P2 ■ 



3.3 The Subexpression Property 

Definition 10. Given a state s, we define its expression support expsup{s) by 
exp-sup{e : p) = subexp{e) U exp sup{p{x)) 

xe/«(e) 



Lemma 7. (Subexpression property) If s il- s' or s ^ s' then expsup{s) 3 
exp-sup(s'). 

Corollary 1. //P : [] IJ. Ax.e : p then Ax.e G subexp{P). 

Proof of Lemma 7 is by induction on the proof of s u or s — >■ s'. Base 
cases: s = x : p and s = Ax.e : p are immediate. For rule (Call) suppose 
Gi : p IJ. Ax. Go : po and G2 : p IJ. W2- By induction 

exp -sup{ei : p) D expsup{Xx.eo : po) and expsup{e 2 : p) 3 exp -sup{v 2 ) 



Thus 



exp -Sup{ei@e 2 : p) = exp sup{ei : p) U expsup{e 2 '■ p) 

exp -Sup{\x.eQ : po) U expsup{v 2 ) 2 expsup{eo : po[x i-T V 2 ]) 



For rule (Apply) we have expsup{ei@e 2 : p) 3 expsup{e' : p') A expsup{v). 
Cases (Operator), (Operand) are immediate. □ 



3.4 A Control Point Is a Subexpression of a A-Program(Challenge 2) 

The subexpression property does not hold for the standard rewriting semantics, 
but it is the starting point for our program analysis: A control point will be 
a subexpression of the program P being analysed, and our analyses will bind 
program flow information to subexpressions of P. 

By the NIS Lemma 6, if P then there exists an infinite call chain 
P : [] = Go : Po -f ei : Pi G2 : p2 -f . . . 

By Lemma 7, g^ G subexp(P) for each i. Our termination-detecting algorithm 
will focus on the size relations between consecutive environments pi and p^+i in 
this chain. Since subexpfP) is a finite set, at least one subexpression e occurs 
infinitely often, so “self-loops” will be of particular interest. 
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Example 2. Figure 2 shows the combinator = (Ax.x@x)@(Ay.y@y) as a tree 
whose subexpressions are labeled by numbers. To its right is the “calls” relation 
— >■. It has an infinite call chain: 

12 : [] -)> x@x : pi -)> y@y : p 2 y@y : p 2 y@y :p 2 ^... 

or 1 : [] — >• 3 : Pi — >• 7 : p 2 — >■ 7 : p 2 — >■ • • • where pi = [x >->• Ay.y@y : []] and 
P 2 = [y^ Ay.y@y : []] 

The set of states reachable from P : [] is finite, so this computation enters a 
“repetitive loop.” 




Fig. 2. A A-expression and its call relation. 



It is also possible that a computation will reach infinitely many states that are 
all different. Since all states have an expression component lying in a set of fixed 
size, and each expression in the environment also lies in this finite set, in an 
infinite state set S there will be states whose environment depths are arbitrarily 
large. 



4 Size-Change Analysis of the Untyped A-Calcnlns 

Our end goal, given program P, is correctly to assert the nonexistence of infinite 
call chains starting at P : []. Our means are size-change graphs G that “safely” 
describe the relation between states si and S 2 in a call si — >■ S 2 or an evaluation 
Si IJ. S 2 . First, we develop a “value decrease” notion suitable for the untyped 
A-calculus. This is essentially the “height” of a closure value e : p. 

4.1 Size Changes in a Computation (Challenge 3) 

The support of a state s = e : p is given by 

support{e : p) = {e : p} U support{p{x)) 

xe/t)(e) 
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Definition 11 . Relations si ^ S2 and s\)^ S2- 

— Si ^ S2 holds if support(si) 9 S2; 

— Si ^ S2 holds if Si = ei : Pi and S2 = &2 '■ P2, where subexp(ei) 9 62 and 
pi(x) = p2(x) for all X G /u(e2); and 

— Si S2 holds if Si ^ S2 and si ^ S2- 

Sets support{e : p) and subexp{e) are clearly finite, yielding: 

Lemma 8. The relation >- C State x State is well-founded. 

Definition 12 . We now relate states to the components of a size-change graph: 

1 . The graph basis of a state s = e : p is gb{s) = fu{e) U {•}. 

2 . Suppose Si = ei : pi and S2 = &2 '■ P2- A size-change graph G relating the 
pair (si,S2) has source gb{si) and target gb{s2). 

3 . We abbreviate (/u(ei) U {•}) (/u(e2) U {•}) to ei 62. 

4 - The valuation function s : gb{s) ^ Value of a state s is defined by: 

s(*) = s and e : p(x) = p(x) 

G 

Definition 13 . Let si = ei : pi and S2 = &2 '■ P2- Size-change graph ei — >■ 62 is 
safe^ for (si,S2) if 

tti ^ 02 G G implies ^(oi) = ^(02) and 
Oi ^ 02 G G implies ^(oi) ^(02) 

Explanation: an arc • -9 • in G r-relates the two states si = ei : pi and S2 = 
62 : p2- Relation r G {=, 4 -} corresponds to si = S2 or si S2 as in Definition 11 . 
Further, an arc x A- y similarly relates the value of x in environment pi to the 
value of y in environment p2- An arc • — y in G r-relates the state si = ei : pi 
to the value of y in environment p2 , and an arc x — • similarly relates the value 
of X in environment pi to the state S2 = &2 '■ P2- 

Definition 14 . A set Q of size- change graphs is safe for program P z/ P : [] — >■* 
Si — >■ S2 implies some G € G is safe for the pair (si, S2). 

Example 3 . Figure 3 shows a graph set G that is safe for program G = (Ax.x@x) 
(Ay.yOy). For brevity, each subexpression of 17 is referred to by number in the 
diagram of G- Subexpression 1 = 17 has no free variables, so arcs from node 1 
are labeled with size-change graphs Go = 0. 

Theorem 1. If G is safe for program P and satisfies the size-change condition, 
then call-by-value evaluation o/P terminates. 

® The term “safe” comes from abstract interpretation [ 3 ]. An alternative would be 
“sound.” 
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Fig. 3. A set of size-change graphs that safely describes l?’s nonterminating computa- 
tion. 



Proof Suppose call-by- value-evaluation of P does not terminate. Then by Lemma 
6 there is an infinite call chain 

P : [] = eo : po ei : Pi G2 : P2 ■ 

Letting Si = e* : pi, by safety of Q (Definition 14), there is a size-change 

graph Gi £ G that safely describes each pair (si,Sj+i). By the size-change 
condition (Definition 3) the multipath M = Gq,Gi, . . . has an infinite thread 
t = Uj ^ ttj+i ^^ . . . such that k > j implies ^ Ofc+i G Gfc, and each 
Cfe is \, or =, and there are infinitely many = i- Consider the value se- 
quence Jj^Uj), Sj+i{aj+i), . . .. By safety of Gk (Definition 13) we have ^(a^) ^ 

Sfc+i(afc+i) for every k > j, and infinitely many proper decreases sL(ofc) 
Sk+i{cik+i)- However this is impossible since by Lemma 8 the relation on 
Value is well-founded. 

Conclusion: call-by-value-evaluation of P terminates. □ 

The goal is partly achieved: We have found a sufficient condition on a set of size- 
change graphs to guarantee program termination. What we have not yet done 
is to find an algorithm to construct a size-change graph set G that is safe for P 
(The safety condition of Definition 14 is in general undecidable, so enumeration 
of all graphs won’t work.) Our graph construction algorithm is developed in two 
steps: 

— First, the exact evaluation and call relations are “instrumented” so as to 
produce safe size-change graphs during evaluation. 

— Second, an abstract interpretation of these rules yields a computable over- 
approximation G that contains all graphs that can be built during exact 
evaluation. 

4.2 Safely Describing Value Flows in a Single Computation 

(Challenge 4) 

First, the exact evaluation and call relations are “instrumented” so as to produce 
safe size-change graphs during evaluation. 
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Definition 15. (Evaluation and call with graph generation) The extended eval- 
uation and call judgement forms are e : p ^ e' : p' ,G and e : p 1| e' : 
p',G. The inference rules are: 

(ValueG) ^ — 

Ax.e : pU- Ax.e : p, id,^^^ 



(VarG) 



X : p II p(x), {x -)> •} U {x 4 y I y G fv{e')} 



(If p(x) = e' : p') 



(OperatorG) 1- 

ei@e2 : p -j. ei : p, idj,_ 
r 



(OperandG) 



ei'. pfyvi 

ei@e2 : p -f G2 : p, id\^ 
d 



(GallG) 



ei : pl| Ax.ep : po,Gi e2:pl|t;2,G2 
ei@G2 : p Go : po[x v2],Gf* U G*'^^ 



(ApplyG) 



gi@G2 -.p^e'-.p', G' g' : p' ^ u, G 

C 

gi@G2 : p^u,(G';G) 



Notations used in the rules (x, y, z are variables and not •): 

idf stands for {• ^ •} U {x ^ x | x G fv{e)} 
idg stands for {• A •} U {x ^ x | x G /w(e)} 

Gf* stands for {y-Tz| yAzGGi}U{*^z| •-TzGGi} 

G*'~^^ stands for {y-Tx| yA*GG2}U{*^x| • ^ • G G2 } 

The diagram of Figure 4 may be of some use in visualising data-flow during 
evaluation of ei@G2. States are in ovals and triangles represent environments. In 
the application gi@G2 : p on the left, operator gi : p evaluates to Ax.gq : pojGi 
and operand G2 : p evaluates to e' : p',G2- The size change graphs Gi and G2 
show relations between variables bound in their environments. There is a call 
from the application gi@G 2 : p to gq : po[x i— >• g' : p'] the body of the operator- 
value with the environment extended with a binding of x to the operand-value 
g' : p'. 

Lemma 9. s — >■ s',G (by Definition 15) iff s ^ s' (by Definition 7). Further, 
sJ|s',G iffshfs'. 

Theorem 2. (The extracted graphs are safe) s ^ s', G or s ij. s', G implies G 
is safe for (s, s'). 



Proof The Lemma is immediate since the new rules extend the old, without any 
restriction on their applicability. Proof of “safety” is by a case analysis deferred 
to the Appendix. □ 
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4.3 Abstract Interpretation 

of the “Calls” and “Evaluates-to” Relations (Challenge 5) 

A coarse approximation may be obtained by removing all environment com- 
ponents. To deal with the absence of environments the variable lookup rule is 
modified: If ei@e2 is any application in P such that ei can evaluate to a value 
of form Ax.e and G2 can evaluate to value V2, then V2 is regarded as a possible 
value of X. 

The main virtue of these rules is that there are only finitely many possible 
judgements e — >■ e' and e jj. e'. Consequently, the runtime behavior of program P 
may be (approximately) analysed by exhaustively applying these inference rules. 
The next section will extend the rules so they also generate size-change graphs. 



Definition 16. (Approximate evaluation and call rules) The new judgement 
forms are e jj. e' and e — >■ e'. The inference rules are: 



(ValueA) 

Ax.e jj. Ax.e 



(VarA) 



ei@G2 G subexp(P) ei jj. Ax. eg e2 fj- V2 
V 2 



(OperatorA) 



ei@G2 — ^ ei 



(OperandA) 



ei@G2 — >■ G2 
d 



(CallA) ei^Ax.eo e2 V2 (ApplyA) 
ei@e2 — eg 



ei@G2 



e' IJ. 



ei@G2 fj- V 



Remark: the (VarA) rule refers globally to P, the program being analysed. Notice 
that the approximate evaluation is nondeterministic: An expression may evaluate 
to more than one value. 
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Lemma 10. Suppose P : [] — >■* e : p. If e : p ij- e' : p' then e e'. Further, if 
e : p — > e' : p' then e — >■ e'. 

Proof Straightforward; see the Appendix. □ 



4.4 Construction of Size-Change Graphs by Abstract Interpretation 

We now extend the coarse approximation to construct size-change graphs. 

Definition 17. (Approximate evaluation and call with graph generation) The 
judgement forms are now e — e', G and e IJ. e', G. 

(ValueAG) 

Ax.e JJ. Ax.e, 

.y ei@G2 £ subexpi?) ei IJ- Ax.ep, G\ G2 IJ- V2, G2 

X JJ. W2, {x A •} U {x 4 y I y € fv{v2)} 



(OperatorAG) P 

ei@62 ei, idt^ 

r 



(OperandAG) p 

ei @62 62 , idt^ 



(CallAG) 



ei JJ Ax.eo,Gi e2!fv2,G2 (^pplyAG) 

ei @62 ^ eo,Gr*UGr^ 

C 



ei@e 2 _^e',G' e' JJ. a, G 

C 

ei@e2 JJ.w,G';G 



Lemma 11. Suppose P : [] — >■* e : p. If e : p ^ e' : p' ,G then e — >■ e',G. 
Further, if e : p Jj. e' : p', G then e Jj. e', G. 

Proof Straightforward; see the Appendix. □ 

Definition 18. 

absintfP) = | Gj | j > 0 A 3ep Gi(0 < i < j) '■ 

P = Go A (eg — >■ ei, Gi) A ... A (sj-i — >■ Bj, Gj) | 

Theorem 3. 

1. The set absintfP) is safe for P. 

2. The set absintfP) can be effectively computed from P. 

Proof Part 1: Suppose P : [] = sg — f si — f • ■ • — f Si- Theorem 2 implies 
Si — >■ Sj+i,Gi where each Gi is safe for the pair (spSj+i). Let Sj = : pi. By 

Lemma 11, — >■ e^pi, G^+i. By the definition of absintfP), Gj G absintfP) . 

Part 2: There is only a fixed number of subexpressions of P, or of possible 
size-change graphs. Thus absintfP) can be computed by applying Definition 17 
exhaustively, starting with P, until no new graphs or subexpressions are obtained. 

□ 
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5 Examples and Experimental Results 

5.1 Simple Example 

Using Church numerals (n = AsAz.s"(z)), we expect 2 succ 0 to reduce to 
succCsucc 0). However this contains unreduced redexes because call-by-value 
does not reduce under a A, so we force the computation to carry on through by 
applying 2 succ 0 to the identity (twice). This gives: 

2 succ 0 idl id2 where 

succ = Am.As.Az. m s (s z) 
idl = Ax.x 
id2 = Ay.y 

After writing this out in full as a A-expression, our analyser yields (syntactically 
sugared): 



[As2.Az2. (s2 0 


(s2 0 z2))] — two 


0 [Am.As.Az. 


15: 


( (m0s)0(s0z) )] — succ 


@ [Asl . Azl . zl] 


— zero 


0 [Ax.x] 




— idl 


® [Ay.y] 




— id2 



Output of loops from am analysis of this program: 

15— >■* 15: [(m,>,m) , (s, = ,s) , (z, = ,z)] , [] 

Size Change Termination: Yes 

The loop occurs because application of 2 forces the code for the successor func- 
tion to be executed twice, with decreasing argument values m. The notation for 
edges is a little different from previously, here (m,>,m) stands for m A m. 

5.2 fnx — X 2^ hy Church Numerals 

This more interesting program computes fnx = a; -I- 2” by higher-order primitive 
recursion. If n is a Church numeral then expression n g x reduces to g”(x). Let x 
be the successor function, and g be a “double application” functional. Expressed 
in a readable named combinator form, we get: 

fnx where 

f n = if n=0 then succ else g(f(n-l)) 
g r a = r(ra) 
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As a lambda-expression (applied to values n = 3, x = 4) this can be written: 
[An . Ax . n — n — 



[Ar. Aa 



11 : 



(r® 13; (r®a))] 



® [A k.A s.A z . (s@( (k@s)@z) )] 

® X ] 



- succ- 

— X — 



® [As2.Az2. (s2@(s2@(s2@z2))) ] — 3 — 

® [Asl.Azl. (sl@(sl@(sl@(sl®zl))))] — 4 — 

Following is the output from program analysis. The analysis found the following 
loops from a program point to itself with the associated size change graph and 
path. The first number refer to the program point, then comes a list of edges and 
last a list of numbers, the other program points that the loop passes through. 

SELF Size Change Graphs, no repetition of graphs: 



11 




11: 


[(r,>,r)] 


[] 


11 




11: 


[(a,=,a) , (r,>,r)] 


[13] 


13 




13: 


[(a,=,a) , (r,>,r)] 


[11] 


13 




13: 


[(r,>,r)] 


[11,11] 



Size Change Termination: Yes 

5.3 Ackermann’s Function, Second-Order 



This can be written without recursion using Church numerals as: a m n where a 
= Am. m b succ and b = Ag. An. n g (g 1). Consequently a m = b“(succ) 
and b g n = g"^^ (1) , which can be seen to agree with the usual first-order def- 
inition of Ackermann’s function. Following is the same as a lambda-expression 
applied to argument values m=2 , n=3, with numeric labels on some subexpres- 
sions. 



(Am.m b succ) 23 = (Am.m®b@succ)@2®3 

( Am . m@ ( Ag . An . n@g@ (g@l) ) Qsucc) ®2@3 
(Am.m@(Ag. An.[ 



9: 



(n@g@| 13 : |(g@l) ) )@succ)®2@3 



where 

1 

succ = 
2 
3 



Asl . Azl . 
Ak. As . Az 
As2.Az2. 
As3 . Az3 . 



17: 


( 




CO 

CM 



(s@ 



25: 



(k@s@z) ) 



s2@(s2@z2) 



39: 


(s3@ 


41; 


(s3® 


43; 



(s3@z3) ) ) 



Output from an analysis of this program is shown here. 

SELF Size Change Graphs, no repetition of graphs: 

(Because graphs are only taken once it is not always the case that 
the 

same loop is shown for all program points in its path) 






16 



Neil D. Jones and Nina Bohr 



9 




9 


[(•,>,n) , (g,>,g)] 


[13] 


9 




9 


[(g,>.g)] 


[17] 


13 




13 


[(g,>.g)] 


[9] 


17 




17 


[(sl,>,sl)] 


[9] 


23 




23 


[(k,>,k) , (s,=,s) , (z,=,z)] 


[25] 


23 




23 


[(s,>,s)] 


[9] 


23 




23 


[(s,>,s) , (z,>,k)] 


[25,17,9] 


25 




25 


[(k,>,k) , (s,=,s) , (z,=,z)] 


[23] 


25 




25 


[(s,>,s) , (z,>,k)] 


[17,9,23] 


25 




25 


[(s,>,s)] 


[23,9,23] 


39 




39 


[(s3 , > , s3)] 


[9] 


41 




41 


[(s3 , > , s3)] 


[9,39] 


43 




43 


[(s3 , > , s3)] 


[9,39,41] 



Size Change Termination: Yes 

5.4 A Minimum Function, 

with General Recursion and Y-Combinator 

We have another version of the termination analysis where programs can have 
as constants: natural numbers, predecessor, successor and zero-test, and also 
if-then-else expressions. In this setting it is possible to analyse the termination 
behaviour of a program with arbitrary natural number as input represented 
by •. This program computes the minimum of its two inputs using the call-by- 
value combinator V = Ap. [Aq.p@(As.q@q@s)] @ [At.p@(Au.t@t@u)] . The 
program, first as a first-order recursive definition. 

m X y = if x=0 then 0 else if y=0 then 0 else succ (m (pred 
x) (pred y)) 

Now, in A-expression form for analysis. 

{Ap. [Aq.pO (As . q@q@s)] @ [At . p@ ( Au . t@t@u) ] } — the Y combinator — 



[ Am. Ax. Ay. | 27 : |if ( (ztst @ x) , 

0 , 



32: 



if ( (ztst @ y) , 

0 , 

" ^succ @ 



37 : 



39: 



m @ (predSx) 0 (pred@y) ] 



Output of loops from cui analysis of this program: 



27 




27: 


[(x,>,x) , (y,>,y)] 


[32,37,39] 


32 




32: 


[(x,>,x) , (y,>,y)l 


[37,39,27] 


37 




37: 


[(x,>,x) , (y,>,y)] 


[39,27,32] 


39 




39: 


[(x,>,x) , (y,>,y)] 


[27,32,37] 



Size Change Termination: Yes 
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5.5 Ackermann’s Function, Second-Order 
with Constants and Y-Combinator 

Ackermann’s function can be written as: a m n where 
= o-n+l 



= b“(suc) and b g 

n = (1) . The following program expresses the computations of both a and 

b by loops, using the Y combinator (twice). 



[A y.A yl 
(yl <S 
A a. A m. 



11 : 



|if ( (ztstOm) , 

A V . (sucSv) , 
( (y @ 



19: 



A b . A f . A n. 

lif ( (ztstOn) , 



25: 



29: 


(f@l). 


32: 




CO 



41: a @ (pred@m) 



(predSn) ) 

] 



{Ap. [Aq.pOCAs. q@q@s)] @ [At.p@(Au. t@t@u)]} 

{Apl. [Aql.pK§(As. 72: |ql@lq@sl)] 0 [Atl ,pl@(Aul . 81: |tl(atl@ul)]} 



Output of loops from cui analysis of this program: 
SELF Size Change Graphs no repetition of graphs: 



11 




11 


[(a,>,y) , (m,>,m)] 


[19,41,72] 


11 




11 


[(m,>,m)] 


[19,41,72,11,19,41,72] 


19 




19 


[(a,>,y) , (m,>,m)] 


[41,72,11] 


19 




19 


[(m,>,m)] 


[41,72,11,19,41,72,11] 


25 




25 


[(f ,>,b) , (f ,>,f)] 


[29] 


25 




25 


[(f ,=,f) , (n,>,n)] 


[32,34] 


25 




25 


[(f,>,f)] 


[29,25,32,34] 


29 




29 


[(f,>,f)] 


[25] 


32 




32 


[(f ,>,b) , (f ,>,f)] 


[25] 


32 




32 


[(f ,=,f) , (n,>,n)] 


[34,25] 


32 




32 


[(f,>,f)] 


[25,32,34,25] 


34 




34 


[(f ,=,f) , (n,>,n)] 


[25,32] 


34 




34 


[(f ,>,b) , (f ,>,f)] 


[25,29,25,32] 


34 




34 


[(f,>,f)] 


[25,29,25,32,34,25,32] 


41 




41 


[(m,>,m)] 


[72,11,19] 


72 




72 


[(sl,>,sl)] 


[11,19,41] 


81 




81 


[(ul,>,ul)] 


[11,19,41] 



Size Change Termination: Yes 
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5.6 Imprecision of Abstract Interpretation 

It is natural to wonder whether the gross approximation of Definition 16 comes 
at a cost. The (VarA) rule can in effect “mix up” different function applications, 
losing the coordination between operator and operand that is present in the 
exact semantics. 

We have observed this in practice: The first time we had programmed Acker- 
mann’s using explicit recursion, we used the same instance of Y-combinator for 
both loops, so the single Y-combinator expression was “shared”. The analysis 
did not discover that the program terminated. 

However when this was replaced by the “unshared” version above, with two 
instances of the Y-combinator (y and yl) (one for each application), the problem 
disappeared and termination was correctly recognised. 



6 Concluding Matters 

Acknowledgements: The authors gratefully acknowledge detailed and construc- 
tive comments by Arne Glenstrup and Chin Soon Lee, and insightful comments 
by Luke Ong and David Wahlstedt. 

Related work: Papers subsequent to [5] have used size-change graphs to find 
bounds on program running times [1]; solved related problems, e.g., to ensure 
that partial evaluation will terminate [4,6]; and found more efficient (though 
less precise) algorithms [7]. Further, the thesis [8] extends the first-order size- 
change method [5] to handle higher-order named combinator programs. It uses 
a different approach than ours, and appears to be less general. 

It is natural to compare the size-change condition with strongly normalis- 
ing subsets of the A-calculus, in particular subsets that are typable by various 
disciplines, ranging from simple types up to and including Girard’s System F [2] . 

A notable difference is that general recursion better matches the habits of the 
working computer scientist: primitive recursion is unnatural for programming, 
and even more so when higher types are used. On the other hand, the class 
of functions computable by typable A-expressions is enormous, and precisely 
characterised. Conclusion: more investigations need to be done. 

Future work 

1. Extend the analysis so it can recognise, given a program P, that P 0 v will 
terminate for any choice of v from a given data set, e.g.. Church or other 
numerals. This seems straightforward. 

2. Prove or disprove Conjecture: The size-change method will recognise as 
terminating any simply typed A-expression (sans types). 

3. Prove or disprove Conjecture: The size-change method will recognise as 
terminating any System T expression (sans types, and coded using Church 
numerals) . 
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Proof If: Consider a proof tree of P w. Each call rule of Definition 6 is associ- 
ated with a use of rule (ApplyS) from Definition 5. There will be a call e — >■ e' 
from each (ApplyS) conclusion e 1| u to one of its three premises e' IJ- v' in the 
proof tree, and only these. Since the proof tree is finite, there will be no infinite 
call chains. (An inductive proof is omitted for brevity.) 

Only if: Assume P — >■* e and all call chains from e are finite. We prove by 
induction on the maximal length n of a call chain from e that e 1). 
n = 0 : e is an abstraction that evaluates to itself. 

n > 0 : e must be an application e = ei@e 2 . By rule (Operators) there is 
a call ei@e 2 — >■ ei, and the maximal length of a call chain from ei is less than 

d 

n. By induction there exists v\ such that ei IJ. v\. We now conclude by rule 
(Operands) that ei@e 2 — e 2 . By induction there exists V 2 such that G 2 1| V 2 - 

r 

All values are abstractions, so we can write vi = Ax.gq. We now conclude 
by rule (CallS) that ei@e 2 — eo[x := V 2 ]- By induction again, eo[x i— U 2 ] -IJ- u 

C 

for some v. This gives us all premises for the (ApplyS) rule of Definition 5, so 
e = ei@e 2 JJ- u. □ 

B Proof of Lemma 5 

Lemma 12. P : [] JJ. u (by Definition 9) implies P -Ij- F{v) (by Definition 5) for 
any program P. 

Proof Let s G State, and assume s -IJ- v by Definition 9. This has a finite proof 
tree. We prove by induction on the height n of the proof tree that s -(1 u implies 
F{s) -IJ. F{v) by Definition 5. It then follows that P : [] -IJ- u implies P -IJ- F{v). 

n = 0 : Two possibilities. First, s G Value implies there is an abstraction 
such that s = Ax.e : p and s = v. F(s) = F{v) is an abstraction F{s) = 
F(Ax.e : p) = Xx.F{e : ^,) hence F{s) -IJ- F{v). Second, s = x : p implies 

s U- p(x) = V = Ay.e' : p'. By definition F{s) = x[F(p(x))/x] = F(p(x)) = F{v). 
Since v is an abstraction also F{s) JJ- F{v) as before. 

n > 0 : Consider s G State such that s JJ- w has evaluation tree of height 
n > 0. It must be an application s = ei@e 2 : p, and the last rule applied must 
be the (Apply) rule. By induction we have F(ei : p) JJ- E(Ax.eo : po) = Ax.F(eo : 

: p) JJ- F{v 2 ), and E(eo : po[x U 2 ]) J1 F{v). 

By definition of F we have F{eo : pq[x >->• U 2 ]) = F{eo : ^ ))[-P'(^ 2 )/a;]- 

All premises in the standard semantics (ApplyS) rule hold, so we conclude F{s) = 
F(ei : p)@F(g 2 : p) Jl F{v) as required. □ 



Lemma 13. For any state e : p it holds that e : p ^ e' : p' implies F{e : p) -G 
F{e':p'). 
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Proof e : p — !■ e' : p' implies e = ei@e2. Clearly F{e : p) = _F(ei@e2 : p) = 
F(ei : p)@F{e 2 ■ p). There are 3 possibilities for e' : p': 

1. (Operator) rule has been applied e' : p' = ei : p. The (Operator) rule always 
applies to an application hence we also have F(ei : p)@F(e2 : p) — >■ -F(ei : p) 

2. (Operand) rule has been applied e' : p' = G2 : p. Then it must hold for some 
V that ei : p U- V, so by Lemma 12, F(ei : p) 1| F{v). It follows that rule 
(Operand) can be applied and hence -F(ei : p)@F{e 2 : p) — >■ F{b 2 ■ p) 

3. (Call) rule has been applied. For some Ax.gq : po and V 2 we have ei : p IJ. 
Ax. Go : Po and 62 : p IJ- U2 and g' : p' = gq : po[x 1— >■ V 2 ] - By Lemma 12 we have 
F{e 2 : p) II F{v 2 ) and F(gi : p) 1| J^(Ax.go : po) = Xx.F{eo : po\fv(xx.eo))- 
Then by rule (Call) there is a call to 

F{so ■■ Po\fv(\x.eo)){FM/x]. As before, ^’(eo : po[x U2]) = F{eo : 

P0\fviX^.eo))[F{v2)/x]- 

We conclude that in all cases when we have a call g : p — >■ e' : p' then we also 
have a call F(e : p) — >■ F{e' : p') □ 

Proof of Lemma 5 : “Only if” is Lemma 12. For “if” suppose P 1| F{v). By 
Lemma 13 this implies P : [] 1| w' for some v' . Lemma 2 (Determinism) implies 
V = v' . □ 

C Proof of Theorem 2 

Proof For the “safety” theorem we use induction on proofs of s 1| s', G or 
s — >■ s', G. Safety of the constructed graphs for rules (ValueC), (OperatorC) and 
(OperandC) is immediate by Definitions 13 and 11. 

The variable lookup rule (VarG) yields x : p 1| p(x),G with G = 

{x ^ •} U {x A y I y G /u(e')} and p(x) = g' : p'. By Definition 12, 3TTp(x) = 

p(x) = p(x)(*), so arc x ^ • satisfies Definition 13. Further, if x ^ y G G then 
y G fv(e'). Thus p'(y) G support{x : p), so p(x) p'{y) as required. 

The rule (CallG) concludes s s',G, where s = ei@G2 : p and s' = gq : 

C 

Po[x !->• V 2 ] and G = G)"* U G*'^^. Its premises are gi : p 1| Ax.gq : Po,Gi and 
62 : P 'll V2,G2- Let V2 = e' : p' . We assume inductively that Gi is safe for 
(gi : p, Ax.gq : po) and that G2 is safe for (02, W2)- 

We wish to show safety: that a ^ a' G G implies s(a) = s' (a'), and a ^ 
a' G G implies s(a) s'(a'). By definition of G^* and G*'^^, a ^ a' G G = 
Gi* U G*'^^ breaks into 6 cases: 

Case 1: j \ z G G^* because y ^ z G Gi, where y G fv{ei) and z G /u(Ax.eo). 
By safety of Gi, p(y) Po(z). Thus, as required, 

s(y) = ei@G2 : p(y) = p(y) po(z) = po[x V2](z) = s'(z) 

Case 2: Y ^ z G G^* because y ^ z G Gi. Like Case 1. 
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Case 3 : • -h- z G Gi* because • A z G Gi, where z G /u(Ax.eo). Now • in Gi 

refers to ei : p, so ei : p ^ Po(z) by safety of Gi. Thus, as required, 

s(*) = ei@e2 ■■ p> ei- p> Po(z) = Po[x H> W2](z) = s'(z) 

Case 4 -: y 7 lG G*'^^ because y ^ • G G2, where y G fv{e2). By safety of G2, 
p(y) W2- Thus, as required, 

s(y) = /o(y) W2 = po[x H> W2](x) = s'(x) 

Case 5 ; y ^ X G because y ^ • G G2. Like Case 4 . 

•i- "C 

Gase G • — X G G*'^^ because • — 1 • G G2. By safety of G2, 62 : p ^ U2- Thus, 
as required. 



s(*) = ei@G2 ■ p >~ @2 ■ p h V2 = Po[x !->■ U2](x) = s'(x) 

The rule (ApplyG) concludes s IJ- v,G';G from premises s s', G' and 

C 

s' JJ. v,G, where s = ei@e2 : p and s' = e' : p'. We assume inductively that G' 
is safe for (s, s') and G is safe for (s', u). Let Gq = G'; G. 

We wish to show that Go is safe: that a ^ c G Go implies s(a) = v{c), and 

a ^ c G Go implies s(a) v{c). First, consider the case a ^ cG Go- Definition 1 
implies a ^ b G G' and & ^ c G G for some b. Thus by the inductive assumptions 
we have s(a) = s' (6) = u(c), as required. 

Second, consider the case a ^ c G Gq. Definition 1 implies a ^ b G G' and 
6 ^ c G G for some b, where either or both of ri,r2 are 4 - By the inductive 
assumptions we have s(a) ^ s'(6) and s'(6) ^ F(c), and one or both of s(a) 
s'(5) and s'{b) >- v{c) hold. By Definition of and ^ this implies that s(a) 
w(c), as required. □ 

D Proof of Lemma 10 

Proof The proof is by cases on which rule is applied to conclude e : p fj. e' : p' 
or e : p — i e' : p'. In all cases we show that some corresponding abstract 
interpretation rules can be applied to give the desired conclusion. The induction 
is on the total size of the proof* concluding that e : p fj. e' : p' or e : p — 1 e' : p'. 
The induction hypothesis is that the Lemma holds for all calls and evaluations 
performed in the computation before the last conclusion giving e : p fj. e' : p' or 
e : p ^ e' : p', i.e., we assume that the Lemma holds for premises of the rule 
last applied, and for any call and evaluation in the computation until then. 

Base cases: Rule (Value), (Operator) and (Operand) in the exact semantics 
are modeled by axioms (ValueA), (Operator A) and (OperandA) in the abstract 



* This may be thought of as the number of steps in the computation of e : p JJ. e' : p' 
or e : p — >■ e' : p' starting from P : [] . 
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semantics. These are the same as their exact-evaluation counterparts, after re- 
moval of environments for (ValueA) and (OperatorA), and a premise as well 
for (Operand A). Hence the Lemma holds if one of these rules were the last one 
applied. 

The (Var) rule is, however, rather different from the (VarA) rule. If (Var) was 
applied to a variable x then the assumption is P : [] — >■* x : p and x : p IJ. e' : p'. 
In this case x G dom{p) and e' : p' = p{x). Now P : [] — >•* x : p begins from 
the empty environment, and we know all calls are from state to state. The only 
possible way x can have been bound is by a previous use of the (Call) rule, 
the only rule that extends an environment. The premises of this rule require 
that operator and operand in an application ei@C 2 : p” have previously been 
evaluated. 

This requires that ei@C 2 G subexp{P). By induction we can assume that the 
Lemma holds for Ci : p" JJ. Xx.Cq : po and 62 -IJ- e' : p', so Ci 1| Xx.Cq and 62 -IJ- e' 
in the abstract semantics. Now we have all premises of rule (VarA), so we can 
conclude that x IJ. e' as required. 

For remaining rules (Apply) and (Call), when we assume that the Lemma 
holds for the premises in the rule applied to conclude e IJ. e' or e : p — >■ e' : p', then 
this gives us the premises for the corresponding rule for abstract interpretation. 
From this we can conclude the desired result. □ 

E Proof of Lemma 11 

Proof The rules are the same as in Section 4.3, only extended with size-change 
graphs. We need to add to Lemma 10 that the size-change graphs generated for 
calls and evaluations can also be generated by the abstract interpretation. The 
proof is by cases on which rule is applied to conclude e Jj. e', G or e : p — >■ e' : 
p',G. 

We build on Lemma 10, and we saw in the proof of this that in abstract 
interpretation we can always use a rule corresponding to the one used in exact 
computation to prove corresponding steps. The induction hypothesis is that the 
Lemma holds for the premises of the rule in exact semantics. 

Base case (VarAG): By Lemma 10 we have x : p Jj. e' : p' implies x Jj. e'. The 
size-change graph built in (VarAG) is derived in the same way from x and e' as 
in rule (VarG), and they will therefore be identical. 

For other call- and evaluation rules without premises, the abstract evaluation 
rule is as the exact-evaluation rule, only with environments removed, and the 
generated size-change graphs are not influenced by environments. Hence the 
Lemma will hold if these rules are applied. 

For all other rules in a computation: When we know that Lemma 10 holds 
and assume that Lemma 11 hold for the premises, then we can conclude that 
if this rule is applied, then Lemma 11 holds by the corresponding rule from 
abstract interpretation. □ 
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Abstract. Several authors devised type-based termination criteria for 
ML-like languages allowing non-structural recursive calls. We extend 
these works to general rewriting and dependent types, hence providing 
a powerful termination criterion for the combination of rewriting and 
d-reduction in the Calculus of Constructions. 

1 Introduction 

The Calculus of Constructions (CC) [13] is a powerful type system allowing 
polymorphic and dependent types. It is the basis of several proof assistants (Coq, 
Lego, Agda, . . . ) since it allows one to formalize the proofs of higher-order logic. 
In this context, it is essential to allow users to define functions and predicates 
in the most convenient way and to be able to decide whether a term is a proof 
of some proposition, and whether two terms/propositions are equivalent w.r.t. 
user definitions. As exemplified in [16,10], a promising approach is rewriting. 
To this end, we need powerful criteria to check the termination of higher-order 
rewrite-based definitions combined with /3-reduction. 

In [10], we proved that such a combination is strongly normalizing if, on the 
one hand, first-order rewrite rules are strongly normalizing and non-duplicating 
and, on the other hand, higher-order rewrite rules satisfy a termination criterion 
based on the notion of computability closure and similar to primitive recursion. 
However, many rewrite systems do not satisfy these conditions, as division^ on 
natural numbers nat for instance: 



(1) 


— X 0 


■ X 


(2) 


— 0 a; ^ 


■ 0 


(3)- 


(sx) (sy) 


- X y 


(4) 


/Ox ^ 
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/ (sa;) y 


s {/ {- X y) y) 


^ {/ X y) is the lower integer part of 
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Hughes et al [20], Xi [26], Gimenez et al [18,5] and Abel [2] devised termina- 
tion criteria able to treat such examples by exploiting the way inductive types 
are usually interpreted [23] . Take for instance the addition on Brouwer’s ordinals 
ord whose constructors are 0 : ord, s : ord ord and lim : {not ord) ^ ord: 

(1) -I- 0 a; ^ a; 

(2) -k (sx) y s {+ X y) 

(3) -k {lim f) y ^ lim ([a: : nat]{+ (/ x) y)) 

The usual computability-based technique for proving the termination of this 
function is to interpret ord as the fixpoint of the following monotone function ip 
on the powerset of the set of strongly normalizing terms SAf ordered by inclusion: 

p>{X) = {t G SAf I t su^ u € X;t limf Vu S SAf^ fu € X} 

The fixpoint of p, |ord], can be reached by transfinite iteration and every 
t G \ord\ is obtained after a smallest ordinal o{t) of iterations, the order of t. 
This naturally defines an ordering: t > u iS o{t) > o{u), with which lim f > fu 
for all u € SAf. 

Now, applying this technique to nat, we can easily check that o{—tu) < o{f) 
and thus allow the recursive call with —xy in the definition of / above. We 
proceed by induction on o{t), knowing that —tu is computable {i.e. belongs to 
|nat]) iff all its reducts are computable: 

- If —tu matches rule (1) then o{—tu) = o{f). 

- If —tu matches rule (2) then o{—tu) = 0 < o{t). 

- If —tu matches rule (3) then t = st' and u = su' . By induction hypothesis, 

o{—t'u') < o{t'). Thus, o{—tu) = 1-1- o{—t'u') <1-1- o{t') = o{f). 

- If —tu matches no rule then o{—tu) = 0 < o{t). 

The idea of the previously cited authors is to add that size/index/stage in- 
formation to the syntax in order to prove this automatically. Instead of a single 
type nat, they consider a family of types {nat°}aeuj (higher-order types require 
ordinals bigger than co), each type nat^ being interpreted by the set obtained 
after a iterations of the function p for nat. For first-order data types, a can be 
seen as the maximal number of constructors at the top of a term. Finally, they 
define a decidable type system in which — (defined by fixpoint /cases construc- 
tions in their work) can be typed by nat“ nat^ nat°^, where a and (3 are 
size variables, meaning that the order of —tu is not greater than the order of t. 

This can also be interpreted as a way to automatically prove theorems on the 
size of the result of a function w.r.t. the size of its arguments with applications 
to complexity and resource bound certification, and compilation optimization 
{e.g. array bound checks elimination and vector-based memoisation) . 

In this paper, we extend this technique to the full Calculus of Algebraic Con- 
structions [10] whose type conversion rule depends on user definitions, and to 
general rewrite-based definitions (including rewriting modulo equational theo- 
ries treated elsewhere ]7[) instead of definitions only based on fixpoint / cases 
constructions. However, several questions remain unanswered {e.g. subject re- 
duction, matching on defined symbol, type inference) and left for future work. 
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We allow a richer size algebra than the one in [20, 5, 2] but we do not allow 
existential size variables and do not take into account conditionals as it can be 
done in Xi’s work [26]. Note however that Xi is interested in the call-by- value 
normalization of closed simply-typed A-terms with first-order data types, while 
we are interested in the strong normalization of the open terms of CAC. 

The paper is organized as follows. Section 2 introduces the Calculus of Al- 
gebraic Constructions with Size Annotations (CACSA). Section 3 presents the 
termination criterion with some examples. Section 4 gives some elements of the 
termination proof (more details can be found in [9[). Finally, Section 5 proposes 
an extension (whose justification is ongoing) for capturing more definitions. 

2 The Calculus of Algebraic Constructions 
with Size Annotations 

CC is the full Pure Type System with set of sorts S = {*, □} and axiom * : □ 
[4[. The sort * is intended to be the universe of types and propositions, while □ 
is intended to be the universe of predicate types. Let X be the set of variables. 

The Calculus of Algebraic Constructions (CAC) [10[ is an extension of CC 
with a set T of function or predicate symbols defined by a set TZ of (higher-order) 
rewrite rules [15, 22[ whose left hand-sides are built from symbols and variables 
only. Every a; € A U JF is equipped with a sort Sx- We denote by T>!F the set of 
defined symbols, that is, the set of symbols / with a rule fl^rGlZ, and by 
CT the set T\T)T of constant symbols. We add a superscript s to restrict these 
sets to objects of sort s. 

Now, we assume given a first-order term algebra A = T{7i,Z), called the 
algebra of size expressions, built from a set H of size symbols of fixed arity and 
a set Z of size variables. Let V(t) be the set of size variables occurring in a 
term t. We assume that Ti H iF = Z (1 X = 0, T{7i, 0) 7 ^ 0 and A is equipped 
with a quasi-ordering stable by size substitution (if a b then, for all size 
substitution (p, ap bp) such that {A, <^) has a well-founded model (21, <%): 

Definition 1 (Size model). A pre-model of A is given by a set 21, an ordering 
< 2 t on 21 and a function h% from 21" to 21 for every n-ary size symbol h G Ti.. A 
size valuation is a function v from Z to 21, naturally extended to a function on 
A. A pre-model is a model if a b implies an <21 bn, for all size valuation n. 
Such a model is well-founded if >21 is well-founded. 

The Calculus of Algebraic Constructions with Size Annotations (CACSA) is 
an extension of CAC where constant predicate symbols are annotated by size 
expressions. The terms of CACSA are defined by the following grammar rule: 

t ■.:= s \ X \ I / I [x :f\t \ {x '. f)t \ tt 

where C € CT^ , f € T\CiF° and a & A. We denote by TjAfF , X) the set of terms 
built from IF, X and A. A product {x : T)U with x ^ FV(17) is written T ^ U. 
We now assume that rewrite rules are built from annotated terms not containing 
size variables. Hence, ii t ^ t' then, for all size substitution p, tp t'p. 




A Type-Based Termination Criterion 



27 



We also assume that every symbol / is equipped with a closed type t/ = 
{x : T)U with no size variable if s/ = □ (size variables are implicitly universally 
quantified otherwise), and |i| < \x\ ii fl ^ r G TZ, a. set Mon“''(/) C Af = 
{1, . . . , |a;|} of monotone arguments and a disjoint set Mon~(/) Q Af oi anti- 
monotone arguments. For a size symbol h, Mon~''(/i) (resp. Mon” (ft,)) is taken 
to be the arguments in which fta is monotone (resp. anti-monotone). 



(ax) 


T 

□ 




(size) 


\- rc ■ O 

h C“ : Tc 


{C aeA) 


(symb) 


h / : r/y> 




(var) 


r h T : s, 
r, X T \- X T 


{x ^ dom(T)) 


(weak) 


r\-t:T r\-U :s^ 

r, X : U \- t : T 


{x ^ dom(T)) 
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r\-U :s r,x:U\-V : s' 




r\- {x: U)V : s' 




(abs) 


r,x-.U'rV.V r'r{x:U)V: 


S 


r 'r [x : U]v: {x ■. U)V 




(app) 


r\-t-.{x: u)v r'ru-.u 




r \- tu ■. V {x u} 




(sub) 


r 1- t : T r 1- T' : s 
r^t:T' 


(T < T') 



Fig. 1. Typing rules 



An environment F is a sequence of variable-term pairs. Let t J, u iff there is 
V such that t v *<— u, with the reflexive and transitive closure of 
U The typing rules of CACSA are given in Figure 1 and its subtyping rules 
in Figure 2. There are two differences with CAC. First, there is a new rule (size) 
for typing constant predicate symbols with size annotations, while the usual rule 
(symb) for typing symbols is restricted to the other symbols. Second, in CAC, 
the condition for (sub) is not T < T' but T J, T' . Note that, if ^ is confluent 
then J, is equivalent to < without the subtyping rule (size). 

Subtyping is necessary since size annotations are upper bounds. For instance, 
in an if-then-else expression, the tften-branch does not need to exactly have the 
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same type as the efee-branch. Instead of subtyping, Xi uses singleton types, 
existential size variables and refinement types. 

The way the subtyping relation is defined is due to Chen [12]. Replacing (red), 
(exp) and (refl) hy T < U ii T I U would not allow us to prove that (trans) can 
be eliminated, which is essential for proving the compatibility of subtyping with 
the product construction (if {x : U)V < (x : U')V' then U' < U and V < V), 
which in turn enables one to prove that j3 preserves typing. Another consequence 
is that subtyping is decidable when applied on weakly normalizing terms. We 
refer the reader to [9] for more details on the meta-theory of our type system. 



(refl) T <T 

(size) (C e CT° , a <Ab) 

^ ^ U' <U V <v' 

(x : U)V < {x : U')V 



(red) 


T' < U' 
T <U 


{T T', U' U) 


(exp) 


h tD 
VI VI 


{T T', U' U) 


(trans) 


T <U U <V 
T <V 





Fig. 2. Subtyping rules 



In this paper, we make two important assnmptions: 

(1) (3VJTZ is confluent. This is the case for instance if TZ is confluent and left- 
linear. Finding other sufficient conditions is an open problem. 

(2) TZ preserves typing: if I ^ r G TZ and F \- la : T then F \- ra : T . Finding 
sufficient conditions with subtyping and dependent types does not seem 
easy. We leave the study of this problem for future work. With dependent or 
polymorphic symbols, requiring the existence of F and T such that F \- I : T 
and F \- r : T leads to non left-linear rules. In [10], we give general conditions 
avoiding the non-linearities implied by requiring I to be well-typed. 

3 Constructor-Based Systems 

We now study the case of CACSA’s whose size algebra at least contains the 
following expressions: 

a ::= a | so | oo | ... 
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Following [5], when there is no other symbol, the ordering on size expres- 
sions is defined as the smallest congruent quasi-ordering < such that, for all a, 
a < sa and a < oo, and size expressions are interpreted in 21 = 17 -I- 1, where 17 
is the first uncountable ordinal, by taking sa(a) = a -f 1 if a < 17, s%{f2) = 17 
and 0021 = 

One can easily imagine other size expressions like a + b, max{a, b), ... 

We now define the sets of positive and negative positions in a term, which 
will enforce monotonicity and anti-monotonicity properties respectively. Then, 
we define the set of admissible inductive types. 

Definition 2 (Positive and negative positions). The set of positions (words 
over {L, R, S}) in a term t is inductively defined as follows: 

- Pos(s) = Pos(a;) = Pos(/) = {e} (empty word) 

- Pos((a; : u)v) = Pos([x : m]w) = Pos(rtr!) = L.Pos(m) U R.Pos{v) 

- Pos(C'“) = {e} U S'.Pos(a) 

Let Pos(a:, t) (x€tFUXUZ)be the set of positions of the free occurrences 
of X in t. The set o/ positive positions in t, Pos"'’(t), and the set o/ negative 
positions in t, Pos~(t), are simultaneously defined by induction on t: 

- Pos'^(s) = Pos'^(x) = {e I (5 = -I-} 

- Pos'^((a; : U)V) = L.Pos~\U) U i?.Pos'^(P) 

- Pos‘^([a; : U]v) = R.Pos^{v) 

- Pos'^(t'u) = L.Pos'^(t) iftfi^ ft 

- Pos\ft) = {lI*I I (5= -k}U I e G {-,-k},f G Mon'^(/)} 

- Pos'^(C'“t) = Pos'^(C't) U I (5 = -k}.Pos'^(a). 

where 6 G {—,+}, — h = — and = -|- (usual rules of signs). 

Definition 3 (Constructor-based system). We assume given a precedence 
<jF on T and that every C G C!F° with C : {z : P)* is equipped with a set 
Cons((7) of constructors, that is, a set of constant symbols f '■ {y '■ U)C°'v 
equipped with a set Acc(/) Z Af o/ accessible arguments such that: 

• If there are D C such that Pos{D, Uj) 0 then there is a G Z such that 
V(ry) = {a} and a = sa. 

• For all j G Acc(c).' 

- For all D C, Pos{D, Uj) = 0. 

- For all D C and p G Pos(D, Uj), p G Pos~^{Uj) and Uj\p = D“. 

- For all p G Pos(o;, Uj), p = qS, Uj\q = D°‘ and D C. 

- For all X G FV°(17j), there is tx with v,,^ = x and Pos(a;, Uj) C Pos~^{Uj). 

• For all F G and FI ^ r G TZ: 

- For all G >j: F, Pos(G, r) = 0. 

- For all i G Mon'^(F'), li G and Pos(/i,r) C Pos'^(r). 

- For all X G FV^(r), there is Kx with = x. 

The positivity conditions are usual. The restrictions on a and a are also 
present in [5,2]. Section 5 proposes more general conditions. The conditions 
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involving l and n mean that we restrict our attention to small inductive types 
for which predicate variables are parameters. See [6] for details about inductive 
types and weak/strong elimination. 

An example is the inductive-recursive type T : * with constructors v : nat 
r, / : {list T) ^ T and /x : T (first-order terms with continuations), 

where list : * * is the type of polymorphic lists (Mon"''(Hst) = {!}), ^ * 

(Mon“(^) = {!}) is defined by the rule ^ A ^ A _L, and _L = (A : *)A. 

We now give general conditions for rewrite rules to preserve strong normaliza- 
tion, based on the fundamental notion of computability closure. The computabil- 
ity closure of a term t is a set of terms that can be proved computable whenever 
t is computable. If, for every rule fl—^r,r belongs to the computability closure 
of I, then rules preserve computability, hence strong normalization. 

In [10], the computability closure is inductively defined as a typing relation 
hj similar to h except for the (symb) case which is replaced by two new cases: 
(symb<) for symbols strictly smaller than /, and (symb“) for symbols equivalent 
to / whose arguments are structurally smaller than 1. 

Here, (syrnb^) is replaced by a new case for symbols equivalent to / whose 
arguments have, from typing, sizes smaller than those of 1. For comparing sizes, 
one can use metrics, similar to Dershowitz and Hoot’s termination functions [14]. 

Definition 4 (Ordering on symbol arguments). For every symbol f : 
{x : T)U, we assume given two well-founded domains, {D-j, >~f) and (D®, >y ), 
and two functions : A” ^ D-^ and C® : 21” ^ DJ (n = |a:|^ such that 
{DJ, >f) = {Df, >f) (X G {A, 2l}j whenever f g, and we define: 

- ay = a if Ti = C^v, and ay = oo otherwise. 

- if, ‘p) {g, 4’) iff f >r g or f 0=:^ g and (f{af<p) >f (f{agif). 

- {g,ff iff f g or f g and C,J{afv) >J Cf{agff- 

Then, we assume that is decidable and that (/, tp) {g, if) implies (/, piy) 
{g,ifv) for all v. 

A simple metric is given by assigning a status to every symbol, that is, a non- 
empty sequence of multisets of positive integers, describing a simple combination 
of lexicographic and multiset comparisons. Given a set D and a status f of arity 
n (biggest integer occurring in it), we define ICJo on D” as follows: 

- [Ml . . . Mkjoix) = ilM,]^{x), ..., lM,j^{x)) 

- \{ii, . . . ,ip}ffy{x) = {x^,,...,x^J (multiset) 

Now, take = |C/lx, Df = Cf (A”) and >f= ((>jc)mui)iex- 

For building the computability closure, one must start from the variables of 
the left hand-side. However, one cannot take any variable since, a priori, not 
every subterm of a computable term is computable. To this end, based on the 
interpretation of constant predicate symbols, we introduce the following notion: 
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Definition 5 (Accessibility). We say that u : U is a-accessible in t : T, writ- 
ten t : T \>a u : U , ifft=fu, / G Cons(C'), f ■■ {y ■■ U)C‘°‘v, |m| = \y\, u = Uj, 
j G Acc(/), T = U = Uj^ip, y-f = u, a(p = a and Pos(a,tt) = 0. 

A constructor c : {y : U)C°‘v is finitely branching^ iff, for all j G Acc(c), 
either Pos(a, Uj) = tb or there exists D such that Uj = D°‘u. We say that u : U 
is strongly a-accessible in t : T, written t \ T \>a u \ U , iff t : T >a u : U, f is a 
finitely branching constructor and Pos(o;, Uj) 0. 

We say that u : U is ^-accessible modulo tp in t : T, written t : T u : U , 
iff either t : Tp = u : U and </j|v(t) ® renamine^ , or t : Tp O* l>g m : U for 

some e G Z. 

This seems to restrict matching to constructors as in ML-like languages. How- 
ever, one can prove that, for first-order data types, computability is equivalent 
to strong normalization [9]. Thus, every argument of a first-order symbol can 
be declared as accessible, and matching on defined first-order function symbols 
is possible. Meanwhile, it may be uneasy to find for these symbols output sizes 
and measures satisfying all the constraints required for subject reduction and 
recursive calls. More research has to be done on this subject. 

Definition 6 (Termination criterion). For every rule fl^rGlZ with f : 
(x : T)U and xj = I, we assume given a size substitution p. The computability 
closure for this rule is given by the type system of Figure 3 on the set of terms 
T_A{iF' , X') where T' = iFUdom(T), X' = T\dom(T) and, for all x G dom(T), 
Tx = xF and x <j^ f . The termination conditions are: 

• Well-typedness: for all x G dom(T), ly, li : Tipj. 

• Linearity: F is linear w.r.t. size variables. 

• Accessibility: for all x G dom(T), there are i and j3 such that li : x : 

xF, Ti = C^t and V(t) =0. 

• Computability closure: ly, r : Up"f. 

• Positivity: for all a G V(T), Pos(a, C/) C Pos"*'([/). 

• Safeness: 7 is an injection from dom°(Ty) to dom°(T). 

The positivity condition on the output type of / w.r.t. size variables appears 
in the previous works on sized types too. It may be extended to more general 
continuity conditions [20, 1[. In [3], Abel gives an example of a function which is 
not terminating because it does not satisfy such a condition. 

As for the safeness condition, it simply says that one cannot do matching 
or have non-linearities on predicate variables, which is known to lead to non- 
termination in some cases [19]. It is also part of other works on CC with inductive 
types [24[ and rewriting [25[. 

The linearity, positivity, safeness and accessibility conditions are decidable. 
We think that the other conditions are decidable too, under the assumption 
that the satisfiability of inequality constraints in A is decidable. To this end, we 

^ Constructors of usual first-order data types are finitely branching. 

^ An injection from a finite subset of Z to Z. 
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(ax) 


he * : □ 




(size) 


he rc : □ 
he C“ : TC 


{CgCF°) 


(symb) 


he Tg : Sg (yi)A h yiS : UiipS 
A he gyS : VipS 


{giCT°,g-.{y.U)V, 
(g,^) if,p)) 


(var) 


A \~c T : Sx 

X : T \~c X : T 


(x ^ dom(A)) 


(weak) 


A \~t t : T A \~c U : Sx 
A,x :Uht:T 


(x ^ dom(A)) 


(prod) 


A,x:UhV :s 
A he (x : U)V : s 




(abs) 


A,x:Uhv:V Ah{x:U)V:s 




A he [x : U]v : (x : U)V 




(app) 


A he t : (x : U)V Ahu:U 
A \~c tu : V {x i—> u} 




(conv) 


A he t : T A he T : s A he T' : s 


(T < T') 


A he t : T' 



Fig. 3. Computability closure of (fl r, F, ip) with f : {x : T)U and = I 



prove the strong normalization of well-typed terms in Section 4, and describe a 
type inference algorithm in [9]. In practice, like Xi, we can restrict size expres- 
sions to linear arithmetic, for which the satisfiability of inequality constraints is 
decidable. 

Note that, with polymorphic or dependent function symbols, the well-typed- 
ness condition makes the rules non left-linear. For instance, with concatenation 
on polymorphic list: app A (cons A! x 1) V ^ cons A x {app A I V), we need to 
take A' = A. In [10], we proved that, in CAC, this condition can be relaxed by 
relativizing the previous conditions with the substitution {A' ^ A}. The same 
technique should apply to CACSA. 

We now give some examples satisfying these conditions: 

Example 1 (Division on natural numbers). Take nat : *, 0 : nat^, s : nat°^ 
naF°", — : nat°" ^ nat^ ^ nat°" and / : nat“ nat^ ^ nat°". 

• For rule (3), take C_ {a, (3) = a, E = x : nat^, y : naF, p = {a s6, (3 se} 
and s <j: By (symb), hj x : nat^ and ly, y : naE. By (symb), hj —xy : nat^ 

since (-{5, e) = 5 < (-(sS, se) = sS. Thus, by (sub), hf, —xy : naF^ . 
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• For rule (5), take = a, F = x : nat^ ,y : naF, j = {p sx,q y}, 

ip = {a 1 -^ s6, P 1 -^ e} and — <jr /. By (symb), hj x : nat^ and hj; y : naF. 
By (symb), ly, —xy : nat^ . By (symb), hj, /{—xy)y : nat^ since = 5 < 

C/(s<5, e) = s5. Thus, by (symb), ht s{/{-xy)y) : naF^ . 

Example 2 (Addition on Brouwer’s ordinals). Take ord : 0 : nat^ , s : nat°‘ 

naF°’, Urn : {nat ord“) ord’^°‘ and -|- : nat°‘ nat^ nat°°. For rule (3), 
take C-i-(q;,/3) = a, F = f : nat°° ord^,y : ord”, tp = {a s5, P e} and 
s, lim <jp -k. By (symb), hj / : nat°° =k ord^ and hj y : ord”. Let A = x : nat°° . 
By (var), A\~c x \ nat°°. By (weak), A \~c f : nat°° =k ord^ and A \~c y : ord”. 
By (app), A \~c fx : ord^. By (symb), A hf, +{fx)y : ord°° since C-i-(<55e) = 
6 < (+{sS,e) = sS. By (abs), ht [cc : nat°°J(+(fx)y) : (x : nat°°)ord^ . Thus, by 
(symb), ht lim{[x : nat°°]{+{fx)y)) : ord”’^ . This does not enter Xi’s framework. 



Example 3 (Huet and Hullot’s reverse function). Take list : *, nil : list^, cons : 
nat°° =k list”” =k lisF°‘, revl : nat°° =k list°° =k nat°° , rev2 : nat°° =k list^ =k 
list^ and rev : list”” =k list””. 



(1) revl X nil x 

(2) revl X {cons y 1) revl y I 



(3) rev2 x nil 

(4) rev2 x {cons y 1) 



nil 

rev {cons x {rev {rev2 y 1))) 



( 5 ) 

( 6 ) 



rev nil 
rev {cons x 1) 



nil 

cons {revl x 1) {rev2 x 1) 



For rule (4), take (rev{c() = 2a, Crev 2 {ct,P) = 2P + 1, F = x : nat°°,y : 
nat°°, I : list^, ip = {P 5 + 1} and rev cslj: rev2 >j: revl >j: cons, nil. Then, 
one can check that Crev 2 {oo, i5-|- 1) = 2<5-|- 3 is strictly greater than (rev 2 {oo, S) = 
2S + 1, Cev{S) = 2S and (rev{l + S) = 2S+2. 



4 Termination Proof 

The termination proof follows the computability-based method of [10]. For lack 
of space, we just state the most important theorems. See [9] for details. 

Let TZt be the set of possible interpretations for the terms of type t. TZs is 
made of sets of strongly normalizable terms. TZ(^„c:T)u is made of the functions 
from T X TZt to TZjj that are invariant by reduction or size substitution. TFp is 
the subset of TZt made of the functions that are monotone (resp. anti-monotone) 
in their monotone (resp. anti-monotone) arguments. 

We first define the interpretation of types. Then, we prove monotonicity prop- 
erties, the correctness of accessibility w.r.t. computability (accessible subterms of 
a computable term are computable), the correctness of the computability closure 
(every term of the computability closure is computable) and the computability 
of every symbol, hence the strong normalization of every well-typed term. 
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Definition 7 (Interpretation schema). A candidate assignment is a func- 
tion f from X to [J {TZt \ t G T}. A candidate assignment f is a /^-assignment, 
written \= F, if, for all x G dom(r'), xf G F-xr- 

An interpretation for a symbol C G is a monotone function I from 

21 to 7^™ . An interpretation for a symbol f CT° is an element of 7^™ . An 
interpretation for a set Q of predicate symbols is a function which, to every 
symbol g € G, associates an interpretation for g. 

The interpretation oft w.r.t. a candidate assignment f, an interpretation I 
for T , a substitution 9 and a valuation v, is defined by induction on t: 

- = id if t is an object or a sort 

- ml’; = lFifFG VT° 

- Weie = 

- lix : U)vjl’; = {t G r I vm G IC/1^;,V5 g tzuM g 

- l[x : U]vjl’;{u,S) = 

where Of. = Q[j{x ^ u} and ^ U {a; S'}. A substitution 9 is adapted to a 

r -assignment f and a valuation v, written f,9 \=i, F, if dom{9) C dom(7^) and, 
for all X G dom(0), x9 G 

We define the interpretation of predicate symbols by induction on >jf- The 
definition of defined predicate symbols can be found in [10]. We now define the 
interpretation of constant predicate symbols by transfinite induction on a G 21. 

Definition 8 (Interpretation of constant predicate symbols). 

-I°c{t,S) 4 is the set of u G SAf that never reduces to a term of the form fu 
with f G Cons(C'), f '■ {y '■ U)C°‘v, \u\ = \y\ and Acc(/) ^ 0. 

- S) is the set of terms u G SM such that, if u reduces to a constructor 

term fu with f '■ {y '■ U)C^°’v then, for all j G Acc(/), Uj G with 

yf, = Scy, y9 = u and av = a. 

-lh=Nram \a<b})tfb is a limit ordinal. 

For t G Iq{S), let Oc(s){t) ^6 the smallest ordinal a such that t G Iq{S). 

The interpretation is well defined thanks to the assumptions made on con- 
structors, and the following properties of the interpretation schema: 

Lemma 1 (Monotonicity). Let <“=>; f <x f iff < xff and, for 

all y^ X, y\ = y^'; I </ F iff If < /} and, for all g ^ f, Ig = Fg,- v <„ F iff 
ah' <21 av' and, for all (3 a, (3v = f3v' ■ Assume that F \- t : T and ^ F. 

- If f, Fix i' and Fos{x,t) C Pos'^(t) then 
“ If I Ff F and Pos(/, t) C Pos'^(t) then 

^ In the following, we do not write t since the interpretation does not depend on it. 
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- If V <a v' and Pos(a,i) C Pos'^(t) then <’* Plj’e • 

- If rhT <T':s, T,T'GWAf, p] = p'l whenever , then |T]^;^ < 

Theorem 1 (Accessibility correctness). If t \ T u : U, T = Cf^t, 
V{t) = 0 and ta G 1^]^^ then there is v such that (Iipv < Pfj, and ua G 

Theorem 2 (Correctness of the computability closure). Let {fl r,F, 
(p) G TZ, f : {x : T)U and X'j = 1. Assume that, for all {g,fi) {f,ipv), 
g G |Tgp. If A Get :T and a \=,y F, A then ta G 

Proof. By induction on A Gc t : T. We only detail the case (symb). Since 
{g,ip) <-^ if,<p), {g,i)v) (.f,pv). Hence, by assumption, g G {Tgl'*’'' . Now, by 

induction hypothesis, ySa G By candidate substitution, there exists 

g such that By size substitution, 

Therefore, gySa G = {V-ipSY,,. □ 

Lemma 2 (Computability of symbols). For all f and y, f G 

Proof. Assume that r/ = (x : T)U with U distinct from a product. / G |t/]^ 
iff, for all g, 6 such that g, 6 \=u rf^ C q- We prove it by induction on 
{{f,y),9) with (>®,^)iex as well-founded ordering. □ 

Theorem 3 (Termination). PUIZ is well-founded on well-typed terms. 



5 Towards Another Extension: Sized Constructors 

By definition, constructors are restricted to types of the form (y : [7)C®“v with 
every occurrence of a type D C in U of the form D°‘ (this is so in [5, 2] too). 
However, some functions need more general size annotations [17]: 

Example 4 (Paulson’s normalization procedure of if -expressions) . By taking the 
types expr : -k, at : expr^, if : expr°’ expr^ expr'* gj;pj.(a-i-i)(/3-i-7+3) 
nm : expr^^ =J> expr°^, one can prove the termination conditions for the rules: 

(1) nm at at 

(2) nm {if at y z) if at {nm y) {nm z) 

(3) nm {if {if u v w) y z) nm {if u {nm {if v y z)) {nm {if w y z))) 

For rule (3), take Cnm(o;) = a, F = u : expr°‘,v : expr^,w : expr^,y : 
expr^ , z : expr”, v = (a-|-l)(/3+7+3)((i-|-e-|-3), p = {a^ v} and nm >j: at, if. 
Then, one can check that v is strictly greater than (/3-|-l)(i5-|-e-|-3), (7-|-l)(i5-|-e-|-3) 
and {ex F l)((/3 + 1)(^ + e + 3) -I- (7 ff 1)(<^ -I- e + 3) -I- 3). 

The conditions on constructors imply also that non-recursive arguments are 
of size 00 {i.e. undefined). So, there is no way to give different sizes to the terms 
of a non-recursive type. Yet, it may be very useful as shown by the type bli.st in 
the following example. 
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Example 5 (Quick sort). Take bool : *, true : bool°°, false : bool°°, blist : 
pair : lisV^ list^ or pair : list°" ^ list°" ^ blist°", fst : 

blisf^ list°", snd : blist°" Hst“, <: nat°° =J> nat°° bool°°, pivot : nat°° =J> 

list°‘ blist°‘, qs : list°° list°° and qsort : list°° list°°. 



(3) < 0 a; ^ true 

(1) fst {pair X y)^ X ( 4 ) < (^ j.) q ^ false ( 6 ) */ true x y^x 

(2) snd {pair x y) ^ y {^) < {s x) {s y) ^ < x y C^) */ xy^y 



( 8 ) 


pivot X nil - 


-> pair nil nil 




(9) pivot X {cons y 1) - 


"*■ (f (< y x) {pair {cons y u) v) {pair u {cons y 
where u = fst {pivot x 1) and v = snd {pivot x 


v)) 

1) 


( 10 ) 


qs nil 1 - 


1 




( 11 ) 


qs {cons x 1) V - 


qs u {cons x {qs v 1')) 

where u = fst {pivot x 1) and v = snd {pivot x 


1) 


( 12 ) 


qsort 1 - 


qs 1 nil 





For rule (11), take Qs{a,(3) = a, E = x : nat°° ,l : list^,l' : lisE, (p = {a 
sS, ,3 1 -^ ej and qs >jp pivot >jp cons, pair, fst, snd. By (symb), l-£ x : nat°° , I : 
list^ and I' : lisE. By (symb), pivot x I : blist^. By (symb), u : list^ and 
hf; V : list^. By (symb), \~c qsv I' : list°°. By (symb), hj, cons x {qs v I') : lisE°°. By 
(sub), hj; cons x {qs v I') : list°°. Thus, by (symb), \~c qs u {cons x {qs v I')) : list°° 
since Cgs(^, 00 ) = 5 < Cgs(s<5, e) = s6. 

Therefore, we naturally come to the following more general conditions, whose 
justification is ongoing. 

Definition 9 (Sized constructors). A type C is non-recursive if, for all con- 
structor f '. {y '. U)C°‘v and j G Acc(/), no D C occurs in Uj. The first, third 
and fourth conditions of Definition 3 are replaced by the following ones: 

- For all j G Acc(/), D C and p G Pos(D, Uj), p G Fos~^{Uj) and Uj\p = 
D°‘ for some a a (a <a a if C is non-recursive). 

- For all j G Acc(/), a G V{Uj) and p G Pos{a,Uj), there is D C and 
q G Pos(D, Uj) such that p = qS. 

Note however that it still does not allow us to take qs : list°‘ list^ 
list°^~^^ and thus qsort : list°‘ list°‘ since too much information is lost by 
taking pair : list^ list^ blist"^°'^^°‘’^\ A solution would be to take pair : 
lisV^ list^ ^ blist^°'’^'> with ( a, (3) interpreted as a pair of ordinals, and to 
say that pivot has type nat°° list^ blist^^’^'> for some (3 and 7 such that 
/3 -I- 7 = a, as it can be done in [26] . 

Another interest of Xi’s framework is to take into account the semantics of 
conditional statements: 

Example 6 (Me Carthy’s “91” function). Me Carthy’s “91” function / is defined 
by the following equations: f{x) = f{f{x -\- 11)) if a; < 100, and f{x) = x — 10 
otherwise. In fact, / is equal to the function F such that F{x) = 91 if a; < 100, 
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and F{x) = x — 10 otherwise. A way to formalize this in CACSA would be to 
use conditional rewrite rules: 

(1) / a: ^ / (/ (+ a; 11)) if < x 100 = true 

(2) / X ^ — X 10 if < X 100 = false 

and take / : naf^ and C/^(x) = max{0 , 101 — x) as measure function, 

as it can be done in Xi’s framework. Then, by taking into account the rewrite 
rule conditions, one could prove that, if T = x : nat^ and < x 100 = true, then 
6 < 100, C/(<5 + 11) < Cf{5) and Cf{F{5)) < Q{5). 

6 Conclusion 

The notion of computability closure, first introduced in [11] and further extended 
to higher-order pattern-matching [8], higher-order recursive path ordering [21, 
25[, type-level rewriting[10[ and rewriting modulo equational theories [7[, shows 
to be essential for extending to rewriting and dependent types type-based ter- 
mination criteria for (polymorphic) A-calculi with inductive types and case anal- 
ysis [20,26,5,2]. In contrast with what is suggested in [5], this notion, which 
is expressed as a sub-system of the whole type system (see Figure 3), allows 
pattern-matching and does not suffer from limitations one could find in systems 
relying on external guard predicates for recursive definitions. 

We allow a richer size algebra than the one in [20, 5, 2[ but do not allow 
existential size variables and conditional rewriting that are essential for capturing 
some size-preserving properties or some definitions as it can be done in [26] . Such 
extensions should allow us to subsume Xi’s work completely. 

Some questions also need further research. In particular, matching on defined 
symbols and decidability of type-checking. For type-checking, we believe that it 
is decidable if solving inequations in A is decidable. We already have preliminary 
results in this direction [9[. 

We made two important assumptions that also need further research. First, 
the confluence of (3VJTZ, which is still an open problem when TZ is confluent, ter- 
minating and non left-linear. Second, the preservation of typing under rewriting 
for which we need to find decidable sufficient conditions. 

We also assume that users provide appropriate sized types for function sym- 
bols and then check by our technique that the rewrite rules defining these func- 
tion symbols are compatible with their types. An important extension would be 
to infer these types. Works in this direction already exist for ML-like languages. 

Finally, by combining rewriting and subtyping in CC, this work may also be 
seen as an important step towards a better integration of membership equational 
logic and dependent type systems. Following [21,25], we also think that it can 
serve as a basis for a higher-order extension of the General Path Ordering [14[. 
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Abstract. This paper expands the termination proof techniques based 
on the lexicographic path ordering to term rewriting systems over 
varyadic terms, in which each function symbol may have more than one 
arity. By removing the deletion property from the usual notion of the em- 
bedding relation, we adapt Kmskal’s tree theorem to the lexicographic 
comparison over varyadic terms. The result presented is that hnite term 
rewriting systems over varyadic terms are terminating whenever they are 
compatible with the lexicographic path order. The ordering is simple, 
but powerful enough to handle most of higher-order rewriting systems 
without A-abstraction, expressed as S-expression rewriting systems. 



1 Introduction 

A term rewriting system [2, 15] is said to be terminating if all reduction sequences 
are finite. An important syntactical method to prove termination of a first-order 
term rewriting system is the one using the lexicographic path order (or the 
recursive path order with lexicographic status) relying on Kruskal’s tree theorem 
[2,4,5,7,13,15]. 

A higher-order rewriting system is a rewriting system to accommodate higher- 
order functions. Several syntactical methods for proving termination of them are 
presented [1,6, 10-12, 14]. In the framework of the algebraic-functional systems, 
Jouannaud and Rubio [6] generalize the recursive path order (with lexicographic 
status) to higher-order rewrite rules, by adapting the notion of computabil- 
ity of typed A calculus due to Tait and Girald. Concerning the termination 
method relying on Kruskal’s tree theorem [9], Linfantsev and Bachmair [11] 
present the lexicographic path ordering for higher-order rewriting systems with- 
out A-abstraction, in which higher-order terms are expressed by application and 
pairing. Aoto and Yamada [1] present a transformation method for applying 
the lexicographic path ordering to simply typed term rewriting systems. These 
syntactical methods have to use the types to guarantee well-foundedness of the 
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presented orderings [1,6,11]. From this observation, a natural question arises: 
whether the syntactical methods relying entirely on Kruskal’s tree theorem, with- 
out using the types, are really useful for proving termination of higher-order 
rewriting systems. 

The main purpose of this paper is to give a positive answer to the above 
question; the lexicographic path ordering relying only on Kruskal’s tree theo- 
rem is powerful enough to handle most of higher-order rewriting systems in the 
literature [1,6, 10-12, 14]. The crucial point is the notion of simplification order 
[2,4, 13, 15] over varyadic signatures, in which each function symbol may have 
more than one arity [4, 5] . Over varyadic signatures, the usual definition of sim- 
plification order requires the deletion property [4, 5] , since it is tightly related to 
the use of Kruskal’s tree theorem [9] . However, the lexicographic comparison is 
not compatible with this property. Hence, in the literature [2, 7, 15] the lexico- 
graphic path order (or the lexicographic comparison of the recursive path order 
with status) is restricted to fixed-arity (or bounded- varyadic [5]) signatures. In 
this paper, by removing the deletion property from the usual definition, we adapt 
the notion of simplification order to the lexicographic path order over varyadic 
signature. 

The key result presented here is that finite term rewriting systems over 
varyadic signatures are terminating whenever they are compatible with the lex- 
icographic path order. The result is simple but by no means trivial because 
we do not restrict to fixed-arity (or bounded-varyadic) signatures. To develop 
the termination method based on this result, we propose a new framework of 
the S-expressions built from constants and a varyadic function symbol of in- 
finitely many arities, in which higher-order rewriting systems are expressed as 
S-expression rewriting systems. Termination of various examples is shown by 
the lexicographic path order on S-expressions, without using types. If we use 
the type information of higher-order rewrite rules, the power of our termination 
method can be strengthened more. For demonstrating this, we propose a non- 
termination preserving transformation of higher-order rewriting systems based 
on currying technique. 

The remainder of this paper is organized as follows. After a preliminary sec- 
tion, in Section 3 we discuss the simplification ordering over varyadic signatures. 
In Section 4 the lexicographic path ordering over varyadic signatures is stud- 
ied. In sections 5 and 6 we introduce S-expression rewriting systems and discuss 
termination of them. Section 7 shows that our ordering over S-expressions is a 
conservative extension of the usual ordering. Section 8 strengthens our ordering 
through transformational method based on the type information. 

2 Preliminaries 

We mainly follow the notation of [2,15]. A signature is a set T of function 
symbols denoted by Function symbols in T may be varyadic, i.e., 

have more than one arity. If at least one function symbol f G iF is varyadic, 
we say that T is varyadic; otherwise, T is fixed-arity. Elements of T of arity 0 
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are called constants. Let V be a countably infinite set of variables denoted by 
x,y, z, . . . ,a, . . . where !F DV = (j>. The set of all terms built from T and 

V is denoted by and terms are usually denoted by s,t, r, — The set 

of function symbols in a term t is denoted by Tit), and the set of variables is 
denoted by V{t). 

A substitution ct is a mapping from V into T{T,V). Substitutions are ex- 
tended into homomorphisms from T{T,V) into T{T,V). Following common us- 
age, we write tO instead of 9{t). 

Consider an extra constant □ called a hole. Then C £ T(.?^U {□}, V) is called 
a context on T . We use the notation C[ ] for the context containing precisely one 
hole, and C[t] denotes the result of placing a term t in the hole of C[ ]. A term 
s is called a subterm of t = C[s]. We denote s C t if s is a subterm occurrence 
of t, and s G t if s Q t and s t. 

A rewrite rule is a pair (l,r) of terms such that I ^ V and V(r) C V(Z). We 
write I ^ r for {l,r). A term rewriting system (TRS for short) 7^ is a set of 
rewrite rules. The rewrite rules of a TRS TZ define a reduction relation — >- 7 ^ on 
T{T, V) as follow: t -£tz s iff there exist a rewrite rule I ^ r £ TZ, a, context C[ ] 
and a substitution 9 such that t = C[19] and s = C[r9]. The transitive closure 
of -£tz is denoted by A TRS TZ is terminating if there exists no infinite 
reduction sequence tg ^2 

A (strict) partial order Y is a transitive and irrefiexive relation. The reflexive 
closure of Y is denoted by Y. A partial order Y is well-founded if there is no 
infinite decreasing sequence t\ >- t 2 >- t^ ^ partial order Y is a partial- 

well-order iff for every infinite sequence t\,t 2 , ts, • • • there exist indices i < j such 
that ti :< tj. 

A partial order y on T {T, V) is called a rewrite order if it is closed under 
context and substitution. A TRS TZ is compatible with a partial order Y if Z Y r 
for every rule I ^ r £ TZ. 

3 Simplification Order over Varyadic Signature 

We now define the simplification ordering over varyadic signatures. Note that 
our definition lacks the deletion property, though it is necessary to relate the 
ordering with Kruskal’s tree theorem in a varyadic setting [4,5, 13]. 

Let iF be a varyadic or fixed-arity signature. We say that a partial order Y 
on T{T,V) has the subterm property if s Y t whenever t G s, and Y has the 

deletion property if /(• • - t ■ ■ •) >- /( ) for all terms t whenever the arities of 

/ allow it. 

The TRS TZemb consists of all rewrite rules f{xi,- ■ ■ , Xm) Xi with f £ T 
when the arities of / allow it. Here xi, - ■ ■ , Xm are pairwise different variables. 
The embedding relation [>emb is defined by f>emb =^n^mh- The embedding 
relation \>emb is a partial order which has the subterm property. 

Proposition 1 (Kruskal’s Tree Theorem (Finite Version)). Let iF be a 

fixed-arity signature and .FU V be finite. Then the embedding relation [>emb is 
a partial-well-order on T{T, V) [2, 13, 15]. 
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It should be noted that in the literature [4, 5] the embedding relation requires 
not only the subterm property but also the deletion property, i.e., /(•••, t, •• •) 
l>emb /( )j when function symbols are varyadic. This requirement is nec- 

essary for Kruskal’s tree theorem. To see why, consider the infinite sequence 
/(c), /(c, c), /(c, c, c), • • • for a varyadic function symbol / and a constant c. This 
sequence shows that Kruskal’s tree theorem fails over varyadic signatures if the 
embedding relation l>emb does not have the deletion property. However, the dele- 
tion property is incompatible with the lexicographic path ordering yipo (which is 
just the subject studied through this paper); for instance, f {c,b,b, delete/ {b, 

b, b) but /(c, 6 , b, b)~<ipof{b, b, b) for c < b. Thus, we do not suppose the deletion 
property of \>emb, but in order for \>emb to be a partial-well-order over a varyadic 
signature, we impose alternative restriction, namely that varyadic function sym- 
bols occurring in an infinite sequence of terms have their arities bounded by a 
natural number. 

The maximum degree D{t) of a term t G is defined by: (i) D{x) = 

0 for a variable x, (ii) D{c) = 0 for a constant c, (iii) D(/(ti, • • • , t„)) = 
maa;{n, D(/i), • • • , D{tn)} for n > 0. The set of terms having the maximum de- 
gree not more than m is defined by 7)n(iF, V) = {t \ D{t) < m\. Then, we have 
the following tree theorem over varyadic signatures as a corollary of Kruskal’s 
tree theorem, even if the embedding relation \>emb does not have the deletion 
property. 

Lemma 1 (Tree Theorem). Let iF be a varyadic or fixed-arity signature and 
.F U V be finite. Then the embedding relation Oemb is a partial-well-order on 
7)„(F, V) for any natural number m. 

Proof. We code varyadic function symbols / into fixed-arity function symbols 
by labeling / with its arity k as in Ferreira [5]. Since all function symbols 
occurring in terms over 7'm{^,V) have their arities bounded by m, we need to 
consider only finite coded function symbols {k < m) even if / has infinitely 
many arities. In this new setting, Kruskal’s tree theorem remains valid for the 
embedding relation Oemb without the deletion property since the new signature 
is finite and fixed-arity. □ 

Definition 1 . An order on T(F, V) is called a simplification order if it is a 
rewrite order with the subterm property [2, 13, 15]. 

Lemma 2 . A simplification order on T(F, V) satisfies \>emb [2, 13, 15]. 

Proof. Trivial from the definitions of simplification order and of t>emb- 

Definition 2 . Let F be a varyadic or fixed-arity signature. A TRS TZ over 
T(F, V) is bounded if for any infinite reduction sequence to ~^TZ ti ^2 
ts ~^TZ ■ ■ ■ there exist some natural number m and a finite set T such that 
D{ti) < m and tF{U) C F for all i. 

Lemma 3. Let F be a varyadic or fixed-arity signature and F be a finite TRS 
over T(F, V). Then TZ is bounded. 




44 



Yoshihito Toyama 



Proof. Let to ~^n ti ~^n ^2 ts ~^n ■ • • be an infinite reduction sequence. 
Taking T{to) U Uz-s-reT?. ^ finite set T, we have T{U) C T for all i. Let 

p = max{D{r) | / — >■ r G TZ\. Consider a reduction s — >- 7 ^ t where s = C[19], 
t = C[rd] and I ^ r G TZ. Then we have 

D{t) = D{C[r0]) = 

max{D{C[ ]), D{r), D{xO) \ x G V(r)} < 
max{Dlc[ ]), D{1), D{r), D(x0) \ x G V(r)} < 
max{Dlc[l0]), D{r)} = max{D{s), D{r)}< max{D{s),p}. 

Thus it holds that < max{D{ti),p} (i = 0,1,2, •••). By taking 

m = max{D{to),p} we conclude the claim. □ 

A TRS TZ is right-hounded if the sets Uz-s-rsT?. \ ^ ^ r G TZ} 
are finite. Note that TZ is right-bounded whenever TZ is finite. We can weaken a 
finite TRS to a right-bounded (infinite) TRS in Lemma 3 as follows. 

Lemma 4. Let iF be a varyadic or fixed-arity signature and 7?. be a right- 
bounded TRS over T{T,V). Then TZ is bounded. 

Theorem 1 . Let iF be a varyadic or fixed-arity signature and 7?. be a bounded 
TRS over T(.F, V) compatible with a simplification order. Then TZ is terminating. 

Proof. Let TZ be compatible with a simplification order Y. For a proof by contra- 
diction, suppose an infinite reduction sequence to -Gn t\ -Gn t 2 ~^n ts ~^n ‘ ‘ 
Then we have V{ti) C V(to) for all i. Since TZ is bounded, to,ti,t 2 , - ' ‘ G 
Tm{iFj V(to)) for some natural number m and a finite set T . According to Lemma 
1 (Tree Theorem), there exit i < j such that ti<f^.^i,tj. From Lemma 2, we have 
ti ^ tj; contradiction to ti >- tj. Hence we conclude the claim. □ 

Corollary 1 . Let iF be a varyadic or fixed-arity signature and TZhe a finite (or 
right-bounded) TRS over T(.F, V) compatible with a simplification order. Then 
TZ is terminating. 

4 Lexicographic Path Order over Varyadic Signature 

The lexicographic path order over a fixed-arity signature was first described in 
Kamin and Levy [7]. The following definition gives the lexicographic path order 
over varyadic signature. 

Definition 3 (Ipo for varyadic signature). Let iF be a varyadic or fixed-arity 
signature and > a precedence (i.e., a partial order) on T. The lexicographic 
path order )^zpo on T(.F, V) is recursively defined as follows: s'^ipot iff s = 
/(si,- • • ,Sm), t = g{ti, • • • ,7„) or t G V, and 

(LI) 3i. Sihipot, or 

(L2) f > g and Vi. s>~ipoti, or 

(L3) f = g, m > n, and si = ti, • • • , s„ = 7„, or 

(F4) f — g and 3i. — 7 i,***,S7_i — ipotij sF zpo tz-t-i ? * * F *sF ipotn- 
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Lemma 5. The lexicographic path order is a simplification order. 

Proof. It can be shown by structural induction. □ 

Note that the simplification order is not sufficient to guarantee well-founded- 
ness of for example, we can have the infinite descending sequence f{h)>~ipo 
/(c, h) >-ipo f{c, c, b) >-ipof{c, c, c, b)'^ipo • • • if / is varyadic and b > c. The prob- 
lem arises from the fact that lexicographic sequences of unbounded size are not 
well-founded. Kamin and Levy [7] proved that "i^ipo is well-founded when all 
function symbols are fixed-arity. Ferreira [5] weakened the fixed-arity restriction 
to the bounded varyadic restriction, i.e, the arity of every varyadic function is 
bounded by a natural number. In the following theorem we show that these 
restrictions can be weakened more. 

Theorem 2. Let IF be a varyadic or fixed-arity signature and 77. be a bounded 
TRS over T(.F, V) compatible with the lexicographic path order ^ipo- Then 77 
is terminating. 

Proof. From Theorem 1 and Lemma 5 it follows. □ 

Corollary 2. Let IF be a varyadic or fixed-arity signature and 77 be a finite (or 
right-bounded) TRS over T(lF, V) compatible with the lexicographic path order 
)^ipo. Then 77 is terminating. 

5 S-Expression Rewriting Systems 

An S-expression, which is short for symbolic expression, is used for representing 
an expression or data in Lisp-like programming languages. As an S-expression 
uses the prefix notation, the term /(a, g{b, c),d, e) is written in the S-expression 
{f a {g b c) d e). A variable a at the prefix, like {a a {g b c) d e), works as 
a higher-order variable. This feature allows us to present higher-order rewrite 
rules as simple first-order rewrite rules. For example, the higher-order function 
map is presented by the following rewrite rules over S-expressions: 

( {map a nil) — >■ nil 

\ {map a {cons x y)) — >■ {cons {a x) {map a y)) 

where map, cons, nil are constants and a, x, y variables. 

The most common method to treat higher-order rewriting without X-notation 
is to use applicative terms, like ap{ap{ap{f,a),b),c) for the term f{a,b,c) with 
the application symbol ap [8] . The notion of applicative term can give a simple 
way for presenting higher-order rewrite rules just like S-expressions, but the left- 
associated sequence of ap is not convenient for proving termination of rewriting 
systems by simplification orderings. Consider two terms g{b) and f{g{a), b) where 
g > f > b > a. Then g{b)>~ipof{g{a),b) by the lexicographic path order >~ipo, but 
we have the reverse direction between the corresponding applicative terms, i.e., 
ap{g,b)<ipoap{ap{f,ap{g,a)),b), because of ap{g,b)<iembap{ap{f,ap{g,a)),b). 
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The same problem arises from the usual syntax of S-expressions, by which 
{f a b c) is expressed as cons{f,cons{a,cons{b,cons{c,nil)))) based on the con- 
structor symbols cons and nil. Thus apart from this syntax, we introduce a new 
syntax of S-expression based on a varyadic function symbol having infinitely 
many arities, on which the lexicographic path order works well like usual sim- 
plification orderings over first-order fixed-arity terms. 

Definition 4 (S-Expression). Let C be a set of constants, o ^ C a varyadic 
function symbol with any natural numbers as its arities, and V a set of vari- 
ables. Then the set of S-expressions built from C and V, denoted by 5(C, V), is 
recursively defined as follows: 

(i) CUV C 5(C,V). 

(ii) o(si,---,s„) G 5(C,V) if G 5(C,V) (n > 0). 

From the definition it is trivial that 5(C, V) = T(C U {o}, V). S-expressions 
o(si, S 2 ) • • • j s„) are usually denoted by (si S 2 ■ ■ ■ Sn), for short. For example, 
the S-expression o(/, a, o(g, x), 6, o()) is written as (/ a {g x) b ()). 

The lexicographic path order on S-expressions is defined as follows. 

Definition 5 (Ips on S-expressions). Let C be a set of constants and > a 
precedence (i.e., a partial order) on C. The lexicographic path order >~ips on 
5(C,V) is recursively defined as follows: s'^ipst iff s = (si ••• Sm) or s G C, 
t = (ti • • • t„) or t G C U V, and 

(50) s,t gC and s > f, or 

(51) s G C and VL s>~ipsti, or 

(52) 3z. Sihipst, or 

(53) m > n and si = ti, • • • , s„ = or 

(54) 3t. Si = ti, * * * , Si_i = ti— 1, Si'r~lpsti^ * * * , S'r~lpstn. 

Lemma 6. The lexicographic path order >ips on 5(C,V) is a simplification 
order. 

Proof. We extend the precedence > on C to on C U {o} by a > o for all a £ C. 
This extension gives the lexicographic path order Y/po on T(C U {o}, V), i.e., 
^ipo on 5(C, V) since 5(C,V) = T(C U {o}, V). It is proven that >~ips and Yjpo 
coincide. Thus from Lemma 5 the claim follows. □ 

An S-expression rewriting system (SRS for short) 7^ is a term rewriting 
system on 5(C,V), i.e., the rewrite rules I ^ r £ TZ consist of S-expressions 
l,r £ 5(C, V) and they define a reduction relation -£-ji on 5(C,V). 

Theorem 3. Let TZ he a bounded SRS over 5(C, V) compatible with the lexi- 
cographic path order Yjpg. Then TZ is terminating. 

Proof. From Theorem 1 and Lemma 6 it follows. □ 

Corollary 3. Let 7^ be a finite (or right-bounded) SRS over S{C, V) compatible 
with the lexicographic path order Y/ps. Then TZ is terminating. 
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6 Termination of SRS 

We verify termination of S-expression rewriting systems by the lexicographic 
path order Various higher-order rewriting systems in the literature [1,6, 

10-12, 14] are naturally expressed in SRSs and termination of them is easily 
proven as that of SRSs without using the notion of type. 

In the following examples, we denote variables playing like higher-order vari- 
ables by a, /3, 7 , • • • in distinction from x,y,z, - ■ ■ for readability. 

Example 1 (map). Let C = {map, cons, nil} with map > cons > nil and con- 
sider the following SRS TZ. 

^ ( {{map a) nil) — >■ nil 

} {{map a) {cons x y)) — >■ {cons {a x) {{map a) y)) 

For the first rule {{map a) nil)>~ipsnil is trivial by the subterm property. For the 
second rule we have (i) {map a)>~ipsCons because map > cons, (ii) {{map a) 
{cons X y))>~ips{a x) because {map a)>~ipsOi and {{map a) {cons x y))>~ipsX, and 
(iii) {{map a) {cons x y))>~ips{{map a) y) because {cons x y)>~ipsy. From this we 
have {{map a) {cons x y))>~ips{cons {a x) {{map a) y)). Thus TZ is terminating 
since it is compatible with "i^ips. □ 

Note that in the above example, map is represented as a crimped notion 
{{map s) t) by the extra parentheses [11], instead of the usual flat notion 
{map s t). This crimping is necessary in our ordering because {map a {cons x y)) 
"fips {cons {a x) {map a y)). 

Example 2 (maplist). Let C = {f map, cons, nil} with fmap > cons > nil and 
consider the following SRS TZ. 

f {{fixiap nil) x) — >■ nil 

} {{fmap {cons a (3)) x) — >■ {cons {a x) {{fmap (3) x)) 

Then TZ is terminating since it can be shown to be compatible with □ 

Example 3 (twice). Let C = {twice, •} with twice > • and consider the following 
SRS TZ. 

^U{* a p) x) {a {P x)) 

^ {twice a) — >■ (• a a) 

Then TZ is terminating since it can be shown to be compatible with )^ips. □ 

Example 4 (filter). Let C = {filter, if, true, false, cons, nil} with filter > if > 
cons > nil, true, false and consider the following SRS TZ. 

{{filter a) nil) — >■ nil 

{{filter a) {cons x y)) — >■ {if (a x) {cons x {{filter a) y)) {{filter a) y)) 
TZ< 

{if true X y) ^ X 
^ {if false X y) ^y 

Then TZ is terminating since it can be shown to be compatible with )^ips. □ 
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Example 5 (folding). Let C = {sum,prod, fold,*, +,s,0, cons, nil} with sum, 
prod > fold >*> + >s>0> cons > nil and consider the following SRS TZ. 

{{fold a x) nil) — >• x 

{{fold a x) {cons y z)) {a y {{fold a x) z)) 

sum — >■ {fold + 0) 

^ prod -s- {fold * (s 0)) 

{+0y)^y 

(+ (s x) y) (s (+ a; y)) 

(* 0 {/)—>■ 0 

. (* (s x) y) -^ {+ {* X y) y) 

Then TZ is terminating since it can be shown to be compatible with )^ips. □ 

Example 6 (recursor). Let C = {rec, s,0} with rec > s > 0 and consider the 
following SRS TZ. 

^ f ((rec a x) Q) ^ X 

\ {{rec a x) {s y)) — >■ {a {s y) {{rec a x) y)) 

Then TZ is terminating since it can be shown to be compatible with Y/ps. □ 

Example 7 (sorting). Let C = {asort, dsort, sort, ins, max, min, s,0, cons, nil} 
with asort, dsort > sort > ins > max, min > s > 0 > cons > nil and consider 
the following SRS TZ. 

' {{sort a (T) nil) — >• nil 

{{sort a (3) {cons x y)) — >■ {{ins a 0) {{sort a (3) y) x) 

{{ins a (3) nil y) — >■ {cons y nil) 

{{ins a 0) {cons x z) y) ^ {cons {a x y) {{ins a 0) z {0 x y))) 

{max 0 y) ^ y 
^ ^ {max X 0) ^ X 

{max {s x) {s y)) — >■ (s {max x y)) 

{min 0 {/)—>■ 0 
{min a; 0) — >■ 0 

{min {s x) {s y)) — >■ (s {min x y)) 

{asort z) — >■ {{sort min max) z) 

, {dsort z) — >■ {{sort max min) z) 

Then TZ is terminating since it can be shown to be compatible with Y/ps. □ 

7 Relation between TRS and SRS 

A set of terms over a signature T can be embedded in a set of S-expressions by 
regarding a function symbol as a constant. In this section we discuss the relation 
between two lexicographic path orders on terms and Yjps on S-expressions. 
We show that under isomorphic embedding, Y/po and Yjps coincide if they are 
induced from the same precedence > over a signature T . Thus, the lexicographic 
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path orders )^ips on S-expressions is a conservative extension of )^ipo on usual 
first-order terms. 

Let be a set of terms bult from a signature T and a set V of vari- 

ables. The set S(T ^ V) of S-expressions induced from a signature T is recursively 
defined by: (i) x G S{T ^ V) for x G V, (ii) c G V) for a constant c, and (iii) 
(/ Si • • • Sm) if Si, • • • ) Sm G S(T ^ V) and / G IF has the arity m {m > 1). Then 
T(lF, V) and 5(lF, V) are isomorphic thanks to an isomorphism W : T{T,V) — 
5(.F, V) such that iF(/(ti, ••• ,tm)) = (/ iF(ti) ••• (m > 1) and !F(a) = a 

for a constant or variable a; for example, ^{f{g{x,c),y)) = {f {g x c) y). Thus 
<I'{T{T,V)) = S{T,V). 

Let 7?. be a TRS over T{T,V). Then an SRS over ,V)) induced from 

TZ is defined by <F(7^) = {'f'(Z) — >• !f'(r) | I — >• r G TZ\. We remark that s t <t4> 
!F(s) ~^^p(Tz) Thus TZ is terminating if and only if <F{TZ) is terminating. 

A precedence > on a signature T gives two lexicographic path orders )^ipo 
on T(.F, V) and >~ips on tF(T(.F, V)). The following result shows that >~ipo and 
)^ips are isomorphic. 

Theorem 4. Two lexicographic path orders >ipo on T(.F, V) and >~ips on 
<F(T(.F, V)) are isomorphic, i.e., s)^ipot <t4> 'P{s)'^ipa'P{t). 

Proof. By induction on the size of terms t and s, it can be proven. □ 

8 Typed S-Expressions and Currying 

Transformation techniques [3] are widely used to prove termination of rewriting 
systems that cannot be proven by the classical orderings. In this section we 
propose a transformational method to strengthen the power of the lexicographic 
path order ^^ips based on the type information. 

The set T of types built from a non-empty set of base types B is recursively 
defined by: (i) r G T for t £ B, and (ii) Ti x T 2 x • • • x r„ — >■ Tq (n > 1) for 
To,...,r„ G T. A type not in B is called function type. We use the symbols 
r, cr, ... to denote types. For every type we assume a countably infinite set of 
variables of that type, written as x,y, z, . . . for base types and as a, /3, 7 , . . . for 
functional types. 

Let C'^ be a set of constants of type r, denoted by f,g, h ,. . and a set 
of variables of type t, and C = IJr^^ ^ ~ Here, C'^ (1 = (f) 

and r\V^ = (j) ii T jTz a. The set 5(C, V)"^ of terms (i.e., S-expressions) 
of type T is recursively defined by: (i) a G 5(C, V)"^ for a G U V"^, and (ii) 
{fh ■■■ tn) G5(C,V)^for/GC^i^^^^-^^»^^andt, g 5(C,V)^^ (i= l,---,n). 
We define 5(C,V) = 1J^5(C,V)'^. The symbols denote terms. The 

notation P is sometimes used to indicate the type r of a term t explicitly. In 
keeping well-typed structure we make use of the usual notions of substitution of 
a term t, denoted as tO, and replacement in a context, denoted as C[t\. 

A rewrite rule, written as I — >■ r, is a pair of typed terms such that I ^ V, 
V(r) C V{1), and I and r have the same type. A typed SRS TZis & set of rewrite 
rules. The rewrite rules of a typed SRS TZ define a reduction relation — >- 7 ^ on 
iS(C,V) in the usual manner. 
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Definition 6 (currying). Let T be a set of types generated from a set B of 
base types. A currying A is a pair of types (ti x • • • x Tp x Tp+i x • • • x — >■ 
To, Ti X • • • X Tp — >■ (Tp+i X • • • X Tm — >■ tq)) where 1 < p < m. A currying F can 
be extended to an endomorphism over 'F as follows. 

(a if r = (r, (j) 

B(r) = S if r G 

y r{pi) X • • • X r{pn) — >■ r{p) otherwise (t = pi x • • • x — >• p) 

Note that F{p) is a type obtained from a type p by replacing all occurrences 
r in p with a type a when F = (r, a). Thus F{p) = p if no r occurs in p. 

Let C and V be sets of typed constants and variables respectively. By replacing 
the type r of elements in C and V with F(r), we obtain a set of constants 
F{C) = I G C} and a set of variables F(V) = \ x'^ G V}. Then 

each term in 5(C,V) can be converted into S{F{C), F{V)) as follows. 

Definition 7. Let S{C, V) be a set of typed terms. Let T be a currying such that 
F{ti X---XTpX Tp+I X • • • X Tm -)> To) = Ti X • • • X Tp (Xp+i X ■ ■ ■ XTm ^ Tq). 
Then a homomorphism from 5(C, V) to S(F(C), F(V)) induced from F, denoted 
by the same letter F, is defined as follows. 

f( (r(to) f{f) ■■■ F{tp) ) T(tp+i) ••• r{tm) ) 

I if ... tp+FP+^ ••• ) 

■' F> \ „c(r) if f = a" G C U V 

l(T(fo) ••• F{t„) ) otherwise (t = (to ••• in)) 

Example 8 (currying). Let B = {A^, L} and C = 

nil^}. Let F{{N — >■ N) x L ^ L) = {N — >■ N) — >■ (L — >■ L). Then we have the 
following curried term. 

Lemma 7. Let t be a term of type cr in S{C, V). Then F{t) is a well-typed term 
of type F{a) in S{F{C), F{V)). 

Proof. By induction on the structure of t, we can prove the claim. □ 

For a substitution 0, we define a substitution F{0) by F{9){x^^'^^) = F{x'^9). 
The type t of hole in a context C[ ] is denoted by C[ ],-. Then a context F{C)[ ] 
is defined by T(C)[ ]r(.) = F{C[ ]p). 

The following results are easily proven by induction on structure of a term. 

Lemma 8. For a term t and a substitution 9 we have F{t9) = F{t)F{9). 

Lemma 9. For a term F and a context C[ ]r we have ^((^[t]) = F{C)[F{f)]. 

For a typed SRS TZ on S{C, V) we define a curried SRS F{TZ) on S{F{C),F{y)) 
by F{TZ) = {F{1) -p- F{r) \ I ^ r G TZ}. The next result combines termination 
of F{TZ) with termination of TZ. 
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Lemma 10. Let T be a currying and TZ a typed SRS. Then T(s) ~^r(n) r{t) 
for s -^Tz t. 



Proof. Let s = C[19] and t = C[rd] for some I ^ r G TZ, C[], 6. From Lemmas 
8 and 9 we have r(s) = r{C[W]) = r{C)[r{l)r{e)] and P{t) = r{C[r0]) = 
r{C)[r{r)r{9)]. Thus it follows that T(s) — >r( 7 ?,) r{t). □ 

Theorem 5. Let T be a currying and TZ a typed SRS. Then TZ is terminating 
if P(TZ) is terminating. 



Proof. For a proof by contradiction, suppose an infinite reduction sequence 
^0 ~^TZ ti -Gtz t 2 ~^Tz ts -G-jz ■ ■ ■. Then from Lemma 10 there exists an infinite 
reduction sequence P{to) -^r{n) r{ti) -Gt{tz) r{t 2 ) -^r(n) -^r{n) ■ 

This is a contradiction to termination of P(fIZ), and hence the claim holds. □ 



Note that termination of TZ does not guarantee that of P{TZ). For example, 
consider TZ = {(/ ((a x) y)) {f {a b c))}, where 6^, in 

C and x^, in V. Take P{1 x 1 — >• 0) = 1 — >■ (1 — >■ 1). We have 

r(T^) = {(/ ((a x) y)) (/ ((a b) c))}. Then (/ ((a b) c)) -Gr{n) (/ ((« b) c)) 

but not (/ (a b c)) -Gn (/ (a b c)). 

In the following examples [1,6,10-12,14], we regard P{TZ) as an untyped 
SRS and prove termination of it by applying the lexicographic path order )^ips. 
It should be noted that in our termination method the type information is used 
only for currying. 



Example 9 ). Let C = ,nil^} 

with map > cons > nil and consider the following typed SRS TZ. (The type 
information is omitted in the subsequent examples, as it is easily derived.) 

^ ( (map a nil) — >■ nil 

[ (map a (cons x y)) -G (cons (a x) (map a y)) 

Take P((N -g N) x L ^ L) = (N -g N) — >■ (L — >■ L). Then we have the 
following curried SRS P(TZ). 

r(T?) f ((xnap a) nil) -G nil 

' ' ( ((map a) (cons x y)) -G (cons (a x) ((map a) y)) 

From Example 1, P(TZ) is terminating. Thus, according to Theorem 5, TZ is 
terminating. □ 

Example 10 (fmap^^^^^). Let C = {fmap^^^^^,cons^^^^^^^^^,nil^} 
with fmap > cons > nil and consider the following typed SRS TZ. 

f (fmap nil x) -G nil 

\ (fmap (cons a (i) x) ^ (cons (a x) (fmap (3 x)) 

Take E(L x N ^ L) = L ^ (N -G L). Then we have the following curried SRS 
E(TZ). 

E(TZ) i 

^ ' \ ((fmap (cons a f})) x) -G (cons (a x) ((fmap (3) a;)) 
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From Example 2, r(TZ) is terminating. Thus, according to Theorem 5, TZ is 
terminating. □ 

Example 11 (fold(NxN^N)xNxL^N^^ Let C = {fold(NxN^N)xNxL^N ^ 
, nil^} with fold > cons > nil and consider the following typed 

SRS n. 

f if old a X nil) — >■ x 

\ {fold a X {cons y z)) {a y {fold a x z)) 

Take E{{N x N ^ N) x N x L ^ N) = {N x N ^ N) x N ^ {L ^ N). Then 
we have the following curried SRS E{TZ). 

r(v\ I ^ ^ 

1 {{fold a x) {cons y z)) {a y {{fold a x) z)) 

From Example 5, E{TZ) is terminating. Thus, according to Theorem 5, TZ is 
terminating. □ 

Example 12 Let C = s^^^ , 

0-^} with rec > s > 0 and consider the following typed SRS TZ. 

^ f (rec a a; 0) — >■ a; 

( (rec a X {s y)) — >■ {a {s y) {rec a x y)) 

Take E{{N x A ^ A) x A x N ^ A) = {N x A ^ A) x A ^ {N ^ A). Then 
we have the following curried SRS E{TZ). 

E{TZ) [ a a;) 0) ^ a; 

^ ' ( ((rec a x) (s y)) — >■ {a {s y) {{rec a x) y)) 

From Example 6, E{TZ) is terminating. Thus, according to Theorem 5, TZ is 
terminating. □ 

Example 13 f Let C = {asort^^^ ,dsort^^^ , 

gQj.l{NxN^N)x(NxN^N)xL^L j^.^^(NxN^N)x{Nx N^N)xLxN^L .^^^NxN^N 

cons^^^^^ ,nil^} with asort,dsort > sort > ins > 
max, min > s > 0 > cons > nil and consider the following typed SRS TZ. 

' {sort a (3 nil) — >■ nil 

{sort a (3 {cons x y)) ^ {ins a (3 {sort a [3 y) x) 

{ins a (3 nil y) — >• {cons y nil) 

{ins a (3 {cons x z) y) ^ {cons {a x y) {ins a (3 z {[3 x y))) 

{max 0 y) ^ y 
^ ^ {max X 0) ^ X 

{max {s x) {s y)) (s {max x y)) 

{min 0 j/) — >■ 0 
{min a; 0) — >■ 0 

{min {s x) {s y)) — >■ (s {min x y)) 

{asort z) — >■ {sort min max z) 

, {dsort z) — >■ {sort max min z) 
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Take two curryings A((-^ x N ^ N) x {N x N ^ N) x L ^ L)) = {N x N ^ 
N)x{NxN ^ N) ^ {L^ L) and r2{{NxN ^ N)x{NxN ^ N)xLxN ^ 
L)) = {N X N ^ N) X (N X TV — >■ N) {L x N ^ L). Currying TZ twice, we 

have the following curried SRS / 2 (A(T^))- 



' {{sort a (3) nil) nil 

{{sort a P) {cons x y)) — >■ {{ins a P) {{sort a P) y) x) 

{{ins a P) nil y) — >■ {cons y nil) 

{{ins a P) {cons x z) y) {cons {a x y) {{ins a P) z {P x y))) 






{max 0 j/) — >■ {/ 

{max X 0) ^ X 

{max {s x) {s y)) — >■ (s {max x y)) 
{min 0 j/) — >■ 0 
{min a; 0) — >■ 0 

{min {s x) {s y)) — >■ (s {min x y)) 



{asort z) — >■ {{sort min max) z) 
{dsort z) — >■ {{sort max min) z) 



From Example 7, E2(Ei(77)) is terminating. Thus, according to Theorem 5, TZ is ter- 
minating. □ 
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Abstract. Monadic Second-Order Unification (MSOU) is Second-Order 
Unification where all function constants occurring in the equations are 
unary. Here we prove that the problem of deciding whether a set of 
monadic equations has a unifier is NP-complete. We also prove that 
Monadic Second-Order Matching is also NP-complete. 



1 Introduction 

Monadic Second-Order Unification (MSOU) is Second-Order Unification (SOU) 
where all function constants occurring in the problem are at most unary. It 
is well-known that the problem of deciding if a SOU problem has a solution 
is undecidable [Gol81,Far91,Lev98,LV00], whereas, in the case of MSOU, the 
problem is decidable [Hue75,Zhe79,Far88]. It is not a restriction to assume for 
this discussion that second order variables are also unary. In [SSS98] , it is proved 
that the problem is NP-hard. In this paper, we prove that it is in NP. 

MSOU can be decided by first making a guess for every variable, whether 
it uses its argument or not, and then calling string unification. This shows 
again that MSOU is decidable since string unification is decidable [Mak77] , and 
also that MSOU is in PSPACE by using the result that string unification is 
in PSPACE [Pla99]. Since this is the currently known upper bound for string 
unification, our result that MSOU is NP-complete gives a sharp bound that 
(currently) cannot be obtained from results on string unification. 

MSOU is a specialization of bounded second order unification (BSOU)^. 
BSOU is decidable [SS04], which provides another proof of decidability of MSOU, 
but no tight upper complexity bound. On the other hand, our proof and results 

* This research has been partially supported by the CICYT Research Projects CAD- 
VIAL (TIC2001-2392-C03-01) and LOGFAC (TIC2001-1577-C03-01). 

^ Accordingly to Property 2 we can restrict variables to be unary, as constants. Then 
in instantiations \x.t for variables X of the problem, the variable x can occnr at 
most once in t, as in BSOU. 
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suggest an application to BSOU, which may result in proving a precise upper 
complexity bound for BSOU. 

To prove that MSOU is in NP, first, we show how, for any solvable set of 
equations, we can represent (at least) one of the solution (unifiers) in polyno- 
mial space. Then, we prove that we can check if a substitution (written in such 
representation) is a solution in polynomial time. 

There are two key results to obtain this sharp bound: One is the result on 
the exponential upper bound on the exponent of periodicity of size-minimal 
unifiers[Mak77,KP96,SSS98] (see Lemma 3). This upper bound allows us to 
represent exponents in linear space. The other key is a result of Plandowski 
[Pla94,Pla95] (see Theorem 1) where he proves that, given two context-free 
grammars with just one rule for every non-terminal symbol, we can check if 
they define the same (singleton) language in polynomial time (on the size of the 
grammars). 

This paper proceeds as follows. After some preliminary definitions, in Sec- 
tion 3, we define lazy unifiers and prove that size- minimal unifiers are lazy uni- 
fiers. We prove some properties of singleton CFG in Section 4. We use a graph in 
order to describe the instance of some variable (Section 5). Sometimes, we need 
to rewrite such graph (Section 6). Based in this graph, we prove that, for any 
size-minimal lazy unifier, we can represent the value of some variable instance 
using a polynomial singleton grammar (Theorem 2). In Section 7, we extend this 
result to the whole unifier, and conclude the NP-ness of the MSOU problem. 

2 Preliminary Definitions 

Like in general second-order unification, we deal with a signature S = ljj>g Si, 
where constants of Si are i-ary, and a set of variables X = lJj>oAi, where 
variables of Xi are also i-ary. Variables of Xq are therefore first-order typed and 
those of Xi, with i > 1 are second-order typed. Well-typed terms are built as 
usual. We notate free variables with capital letters X, Y ,. . . and bound variables 
and constants with lower-case letters x, y,. . .and a, b,. . .Terms are written in 
/ 377 -normal form, thus arities can be inferred from the context. As far as we do 
not consider third or higher-order constants, first-order typed terms (in normal 
form) do not contain A-abstractions, and second-order typed terms only contain 
A-abstractions in topmost positions. The size of a term t is noted |t| and defined 
as its number of symbols. A term is said to be monadic if it is built without 
using constants of arity greater than one, i.e. on a signature with Si = 0, for 
any i >2. Notice that there is no restriction on the arity of variables. 

Second-order substitutions are functions from terms to terms, defined as 
usual. For any substitution a, the set of variables X, such that (t{X) yf A, is finite 
and is called the domain of the substitution, and noted Dom(<T). A substitution 
a can be presented as [Xi t\, . . . , A„ ^ f„], where Xi € Dom(cr), ti has the 
same type as Xi, and satisfies U = a{Xi). Given two substitutions a and p, 
their composition is defined by {a o p){t) = a{p{t)), for any term t, and is also a 
substitution, i.e. Dom(crop) is finite. We say that a substitution a is more general 
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than another substitution p, noted a ^ p, ii there exists a substitution r such 
that p{X) = t(ct(X)), for any variable X € Dom(cr). This defines a preorder 
relation on substitutions. An equivalence relation can also be defined as cr ~ p if 
a < p and p < a. X substitution a is said to be ground if cr(A) is a closed term, 
i.e. it does not contains free occurrences of variables, for any X € Dom(cr). 

An instance of the MSOU problem is a set of equations {ti X u\, . . . ,tn = Un} 
where tfs and ufs are monadic terms with the same first-order type, i.e. not 
containing A-abstractions. A solution or unifier is a second-order substitution 
a solving all equations: cr(U) = a{ui) modulo /Jp-equality. A unifier cr of if is 
said to be ground if afti) does not contain free occurrences of variables, for 
any ti = Ui € E. (Notice that not all ground substitutions that are unifiers are 
ground unifiers, because ti may contain variables not instantiated by the unifier). 
A ground unifier is said to be size-minimal if it minimizes X^r=i among 

all ground unifiers. (Notice that w.l.o.g. size-minimal unifiers are required to be 
ground, because if a problem has a non-ground unifier, then it has also a ground 
unifier of equal or smaller size). Most general unifiers are defined as usual. 

Notice that instances of the problem are required to be build from monadic 
terms, but there are not restrictions on the solutions. However, the following 
property ensures that most general unifiers instantiate variables by monadic 
terms. 

Property 1. For any set of second-order unification equations if, and most gen- 
eral unifier ct, all constants occurring in a also occur in E. 

This property does not hold for variables. Even if the set of equations is built 
from unary second-order variables, most general unifiers can introduce fresh n- 
ary variables with n> 2. For instance, the set of equations {ff(a) A T(&)} has 
only a most general unifier [A i— > \x.Z{x,b),Y ^ Xx.Z{a^x)], that introduces 
a binary second-order variable Z . Fortunately, non-unary variables do not give 
rise to undecidability, we need non-unary constants. In fact, one single binary 
constant is enough to generate a class of undecidable second-order unification 
problems [Far88,LV02]. 



3 Lazy Unifiers 

We can restrict instances of second-order variables to ones that do not use their 
arguments, whenever this is possible. In this way we obtain what we call lazy 
unifiers. 

Definition 1. A substitution a is said to be a lazy unifier if 

1. it is a ground unifier, and, 

2. it can he decomposed as a = p o t, where t is a most general unifier and p 
has the form [Ai i-^ Axi. • • • .Ax„^.ai, . . . ,Xm \x\. ■ • • .Aa:„„,.am], where 
Oi, . . . , Om G Afo are first-order constants. 
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Lemma 1. For any solvable set of MSOU equations E containing at least a 0- 
ary constant, there exists a lazy unifier a that does not introduce constants not 
occurring in E. 

Lemma 2. Any size-minimal unifier is a lazy unifier. 

From now on, when we say a solution of a set of equations, we mean a lazy 
unifier. We also assume that any set of equations contains, at least, a 0-ary 
constant. The following property allows us to go a step further and assume that 
all variables are unary. 

Property 2. Monadic SOU is NP-reducible to monadic SOU where all variable 
are second-order typed and unary. 

From now on, since all symbols are unary or zero-ary, we can avoid paren- 
thesis, and represent the term a(X(b)) as the word aX b, and \x.a{x) as Xx.ax. 

We know that the size-minimal ground unifiers of a monadic second-order 
unification problem satisfies the exponent of periodicity lemma [Mak77, KP96, 
SSS98, SS04]. Therefore, from Lemma 2, we can conclude that it also holds for 
lazy unifiers: 

Lemma 3 ([SS04]). There exists a constant a € K such that, for any solvable 
monadic second-order unification problem E, there exists a lazy unifier a such 
that, for any variable X, and words Wi, W 2 and W 3 , 

<t(X) = Xx.wi wtf W3 X and W2 not empty implies n < 

4 Singleton Context Free Grammars 

A context-free grammar ( CFG) is a 4-tuple (U, N, P, s), where E is an alphabet 
of terminal symbols, N is an alphabet of non-terminal symbols (contrarily to 
the standard conventions, and in order to avoid confusion between free variables 
and non-terminal symbols, all terminal and non-terminal symbols are denoted 
by lower-case letters), P is a finite set of rules, and s G N is the start symbol. We 
will not distinguish a particular start symbol, and we will represent a context 
free grammars as a 3-tuple (U, N, P). Moreover, we will use Chomsky grammars 
with at most two symbols on the right hand side of the rules. 

Definition 2. We say that a context free grammar G = {S, N, P) generates a 
word w G S* if there exists a non-terminal symbol a G N such that w belongs to 
the language defined by {E,N,P,a). In such case, we also say that a generates 
w. 

We say that a context free grammar is a singleton CFG if it is not recursive 
and every non-terminal symbol occurs in the left-hand side of exactly one rule. 
Then, every non-terminal symbol a G N generates just one word, denoted Wa, 
and we say that a defines Wa. In general, for any sequence a G {EiJN)* , Wa G E* 
denotes the word generated by a. 
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Plandowski [Pla94,Pla95] defines singleton grammars, but he calls them 
grammars defining set of words. He proves the following result. 

Theorem 1 ([Pla95], Theorem 33). The word equivalence problem for sin- 
gleton context-free grammars is defined as follows: Given a grammar and two 
non-terminal symbols a and b, to decide whether Wa = Wb- This problem can be 
solved in polynomial worst-case time on the size of the grammar. 

Definition 3. Let G = (S,N,P) be a singleton GFG. 

For any terminal symbol a G S, we define depth(a) = 0, and for any non- 
terminal symbol a G N we define 

depth(a) = max{depth(6i) -G 1 \ a ^ bi b 2 G P A i = 1, 2} 

We define the depth of G as depth(G) = max{depth(a) | a G N}. 

We define the size of G as its number of rules. (Notice that this definition is for 
Ghomsky grammars). 

We can enlarge a grammar in order to define concatenation, exponentiation 
and prefixes of words already defined by the grammar. We use these operation 
in the next sections to build the grammar defining some lazy unifier of the 
unification problem. The following three lemmas state how the size and the 
depth of the grammar are increased with these transformations. 

Lemma 4. Let G be a singleton grammar defining the words wi, . . . , Wn. There 
exists a singleton grammar G' D G that defines the word w = w\ . . .Wn and 
satisfies 

\G'\ < \G\+n-l 
depth(G') < depth(G) -f [log n] 

Lemma 5. Let G be a singleton grammar defining the word w. For any n, there 
exists a singleton grammar G' G that defines the word w” and satisfies 

|G'| < |G| + 2[lognJ 
depth(G') < depth(G) -I- [log n] 

Lemma 6. Let G be a singleton grammar defining the word w. For any prefix 
or suffix w' of w, there exists a singleton grammar G' G that defines w' and 
satisfies 

|C'| < |G| + depth(G) 
depth(G') = depth(G) 

Definition 4. Gonsider a signature composed by a nonempty set Sq of first- oder 
constants, a set Si of second- order and unary constants, a set N of non-terminal 
symbols, and a set Xi of second-order and unary variables. 

A generalized set of equations is a pair {E, G), where E is a set of equations 
of the form {G = ui, . . . , = m„} where terms ti and Ui, for i = 1, . . . ,n, are 

sequences of {Si U Ti U N)* Sq, and G = {Si, N, P) is a singleton context free 
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grammar with just one production for every non-terminal symbol of N occurring 
in E. 

A generalized unifier of (E,G) is a pair {a,G'), where a is a mapping that 
assigns either [X Ax. a a;] or [X Xx.ab] or [X i— > Xx.x] or [X i— > Ax. 6] to 
each variable X, for some a £ N U Ei and b € Eg, and G' A G is a singleton 
grammar that contains a production for every non-terminal symbol of E or a, 
such that, replacing every variable X by its instance in E, Pp -normalizing both 
sides of each equation, and then replacing every nonterminal symbol a by the 
word Wa that it defines, all the equations of E are satisfied as equalities. 

Notice that non-terminal symbols derive into sequences of second-order con- 
stants, and that we do not consider first-order variables. 

Example 1. Consider the generalized set of equations {E, G), defined by 

E={bXX fa = YYYa} 

G= {b^ cc, f f} 

Then, the pairs {a, G'), defined by 

a = [X ^ Ax.cx, Y 1 -^ Ax.dx] , a = [X Ax. a, Y i-^ Ax. 6 a] 

G' = {b^ cc, f f, d^ cf} G' = {b^ cc, f f} 

are generalized unifiers. In fact, these would be the only two lazy unifiers found 
by our algorithm. Notice that the second one is a lazy unifier corresponding to 
the most general unifier [X i-^ Xx.Z, Y i-^ Ax./ f f f Z], 

From now on, an instance of a MSOU problem will be a generalized set of 
equations. Let a assign [X i— > Ax.ax]. We will use a{X) to denote indistinctly 
the functions Ax.ax or Xx.WaX, or the word Wa, being its meaning clear from 
the context. 

Notice that any monadic set of equations E is equivalent to the general- 
ized set of equations {E,tl)), and vice versa, any generalized set of equations 
is equivalent to the monadic set of equations that we obtain by replacing ev- 
ery non-terminal symbol by the word that it defines. Therefore, solvability of 
monadic set of equations and of generalized set of equations are, with respect 
to decidability, equivalent problems. With respect to their complexity, we will 
prove that solvability of generalized sets of equations can be decided in NP-time. 
This implies that solvability MSOU is also in NP. 

5 The Graph of Surface Dependencies 

In this Section we define the graph of surface dependencies. The purpose of 
this graph is to describe, for a given lazy unifier cr, the instance <j{X) of some 
variable X of the problem. In some cases, the ones not covered by Lemmas 8, 9 
and 10, the graph is not able to describe such instances, and it becomes necessary 
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to rewrite it to obtain a new graph with this capability. This graph rewriting 
process will be described in Section 6. 

The graph of surface dependencies is defined only for simplified equations 
(not containing rigid-rigid pairs, i.e. pairs with constants in the head of both 
sides of the equation). In case we have such kind of equations we can simplify 
them. This can increase the size of the associated grammar as the following 
Lemma states. After this Lemma, if nothing is said, we will assume that all sets 
of equations are simplified. 

Lemma 7. Given a generalized set of equations {E, G) , where E = {ti = 
ui,...,tn — Un}, we ean get an equivalent simplified problem {E',G'), where 
E' = {t'l = u'l, . . . G'm — '“m}; ® problem with exaetly the same set of so- 

lutions, where, for every equation t[ = u\, either t\ or u[ has a variable in the 
head (all rigid-rigid pairs have been removed), and 

\E'\ < \E\ \G) < |G| -kndepth(G) 

m <n depth(G') = depth(G) 

Definition 5. Let {E, G) be a simplified generalized set of equations, the graph 
of surface dependencies of {E, G) is defined as follows. 

Let « be the minimal equivalence relation defined by: if E contains an equa- 
tion of the form X w\ = Y W2, then X k Y. This defines a partition on the 
variables of E. 

Every node of the graph is labeled by an ^-equivalence class of variables, the 
empty set, or a first-order constant, and every edge is labeled by either a terminal 
or a second-order constant. Then: 

— We add just one node for every equivalence class of variables. 

— For every equation of the form X Wi = a\ ■ ■ ■ UnY W2, where Oi • • • a„ G 
{N U El)* , we add a sequence of nodes with the empty set as labels, and a 
sequence of labeled edges of the form 

... 

where X G Li and Y € L2. 

— For every equation of the form X wi = ai • • • a„ 6, where oi • • • a„ G (NUSi)* 
and b S Eq, we add a sequence of nodes with the empty set as label, and a 
sequence of labeled edges of the form 

... 

where X £ L. 

Notice that, for every variable X, there is just one node with label L satisfying 
X G L. This is called its corresponding node. 

The cycles of this graph describe the base of some exponentiation occurring 
in the instance of some variables. For instance, the solutions of the equation 
X f a E f X a have the form [X 1— > Ax./" x], for some n > 0. The base of this 
power is described by a cycle in its graph of dependencies: 
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We prove that, if one of the following conditions holds: 

1. the graph contains a cycle (Lemma 8), 

2. there is a node with two exiting edges with distinct and divergent labels 
(Lemma 9), or 

3. there is at most one exiting edge, for every node (Lemma 10), 

then the graph of surface dependencies describes the instance of some variable. 
In the rest of cases it may be necessary to rewrite the graph in order to obtain 
the desired description. 

Lemma 8. Given a generalized set of equations {E,G), let D he its graph of 
surface dependencies. If D contains a cycle, then, for every lazy unifier a, whose 
exponent of periodicity does not exceed k, there exists a variable X such that its 
corresponding node is inside the cycle, and, if a € (N U Xi)* is the sequence of 
transitions completing the cycle from this node, for some 0 < n < k, and some 
prefix w' of Wa, we have cr{X) = \x.{wa)^ w' x. 

Moreover, there exists a singleton context-free grammar G' X G that gener- 
ates (wa)'^ w' and satisfies 

\G'\ < |G| + depth(G) + \D\ + (log ID]-] + 2 [log/cj 
depth(G') < depth(G) + [log |G|] + [log/c] + 1 



Definition 6. A dependence graph D is said to contain a divergence L2 
L\ L3, if it contains a subgraph of the form: 




where neither Wa is a prefix ofwb, nor Wb a prefix of Wa- 

Lemma 9 . Given a generalized set of equations {E,G), let D he its graph of 

surface dependencies. If D contains a divergence L2 L\ ^ L3, then, for any 
lazy unifier a of E, there exists a variable X G Li and some common prefix w' 
of Wa and Wb, such that a{X) = Xx.w' x. 

Moreover, there exists a singleton context-free grammar G' X G that gener- 
ates w' , has the same depth as G, and satisfies \G'\ < |G| +depth(G). 

Lemma 10 . Given a generalized set of equations {E,G), let D he its graph of 
surface dependencies. If D contains at most one exiting edge, for every node, 
and D does not contain cycles, then, for any size-minimal lazy unifier a of E, 
one of the following properties holds: 



Monadic Second-Order Unification Is NP-Complete 



63 



1. for some node L without exiting edges, some variable X G L, and some 
first-order constant b G Xq, we have cr(X) = Xx.b, or 

2. for some node L, let a be the unique path starting at L and finishing in a 
node without exiting edges, then, either 

(a) the sequence a ends in a node labeled with a first-order constant b G Xq, 
and (j{X) = Xx.Wa b, or 

(b) for some proper prefix w' ofwa, we have <y{X) = Xx.w' x. 

Moreover, there exists a singleton context-free grammar G' G) G that, in each 
case, defines Wa or w' , and satisfies 

|G'| < |G| + depth(G) -f \D\ + [log |i?|l - 1 
depth(G') < depth(G) -I- [log|I?|] 

Remark 1. Notice that this Lemma, contrarily to Lemmas 8 and 9, only applies 
to size-minimal lazy unifiers. Notice also that in case 1, it forces some variable 
to forget its argument, and therefore, applies to lazy unifiers, but not to most 
general unifiers. In this point is where the search of a size-minimal lazy unifier 
differs from the search of a most-general unifier, and in fact, where our algo- 
rithm looses its completeness and soundness when applied to word unification. 
(Otherwise this paper would prove NP-completeness of word unification!!). 

For instance, in Example 1, the graph of surface dependencies is 

Therefore, we are in the conditions of Lemma 10. Applying sub-case 1, we find 
(j{X) = Xx.a (and later, cr(Y) = Xx.da). Applying sub-case 2b, we find, among 
others, <j{Y) = Xx.f f f x (and later, a{X) = Xx.f f x). The first one is a lazy, 
but not a most general unifier, whereas the second one is a ground and most 
general (and therefore lazy) unifier. Notice that there are other most general 
unifiers of the form \X i-^- x, Y ^ x] that are not found by 

our algorithm for n > 1. 

6 Rewriting the Graph of Dependencies 

There are graphs not satisfying any of the conditions of Lemmas 8, 9 and 10. 
These graphs contain a node with two compatible exiting edges. In other words, 
these graphs contain a subgraph, used as redex in our transformation rules, of 

the form L2 L3, where Wa is a prefix of Wb, or Wb is a prefix of Wa- An 

example of such kind of graphs is shown in Example 2. In these cases, in order 
to obtain a description of some variable instantiation, it can be necessary to 
transform the graph of dependencies using the following graph rewriting system. 
These rules transform the redexes described above. 

Definition 7. We consider a transformation system described by rules that work 
on pairs of the form (D,G), where D is a dependence graph and G is a singleton 
grammar. The transformation on the dependence graph is interpreted as a graph 
rewriting system. 
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Rule 1: 




where c is a fresh non-terminal symbol, and L[ = {X' \ X £ Li} is the set of 
labels of L\ where we have added a quote to every variable name. 

Rule 2: 




In the first rule, the grammar G is transformed in order to be able to define 
the word Wc satisfying Wb = WaWc- According to Lemma 6, we can obtain such 
grammar G' satisfying 

|G'| < |G| + depth(G) 
depth(G') = deptli(G) 

In the second rule, the grammar is not modified. 

These rules can only be applied if the graph has no cycles and there are no 
divergences. 

Example 2. Consider the following set of equations, and their set of unifiers, for 
n > 0. 

Xici = abX2Ci Xi i—f Xx.{ab)'^~^'^ X 

XiC 2 = aX^abc 2 X 2 ^ XxfaL)'^'^^ x 

X 2 C 3 = aXsC 3 X 3 1 -^ Xx.biab)"^ X 




Using the second rule of the graph rewriting gystem we get 




Lemma 11. Any graph rewriting sequence Di =>* has length at most n < 
|Z?iP, where \D\\ is the number of edges of D\. 

As we have said, if the graph of surface dependencies does not contain redexes, 
then it describes a variable instance. Moreover, depending on the lazy unifier, 
even if the graph contains redexes, it can also describe some variable instance. We 
distinguish, according to the lazy unifier, between incompatible and compatible 
redexes. If the graph contains an incompatible redex, it already describes a 
variable instance, and must not be rewritten. Thus, we only rewrite a graph if 
all redexes are compatible. 
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Definition 8. Given a generalized set of equations {E,G), its graph of depen- 
dencies D , and a lazy unifier a, we say that a graph rewriting step with redex 
L 2 ^ Li L3 is incompatible with a if for some variable X G Li, we have 
<t(X) = Xx.w' X, where w' is a proper prefix of Wa and Wb- Otherwise, it is said 
to be compatible. 

Lemma 12. Given a generalized set of equations {E,G), its graph of depen- 
dencies D, and a lazy unifier a, if there exists an incompatible with a redex 
L2 Li L3 in D, i.e. there exists a variable X G L\ with (j{X) = Xx.w' x, 
where w' is a proper prefix of Wa and Wb, then there exist a singleton context- 
free grammar G' G that defines w' and satisfies \G'\ < |G| -I- depth(G) and 
depth(G') = depth(G). 

When we rewrite a graph, the new graph does not describe exactly a variable 
instance of the lazy unifier, but an instance of a modification of this unifier. This 
new unifier is also a solution of a modification of the set of equations. Therefore, 
when we rewrite the graph of surface dependencies, apart from the associated 
grammar, we have to transform the set of equations and its lazy unifier. The 
next Lemma describes how we have to make such modifications. 



Lemma 13. Given a generalized set of equations {E,G), its graph of dependen- 
cies D, a lazy unifier a, and a compatible rewriting step {D,G) {D',G'), there 

exist a generalized set of equations {E' , G') and a substitution a' such that 

1. a' is a lazy unifier of {E',G'), 

2. D' is the graph of dependencies of E' , and 

3. a' extends a as cr'{X) = cr{X), for any variable occurring in E, and satisfies 
a(X) = o’'(X) = Xx.Wa cr'(X') X, for any variable X G Li occurring in the 
redex of the rewriting step. 



Graphically we can represent this Lemma as a category-like commutative 
diagram: extended as 

(j ► (j 



unifier 

{E,G) 



extended as 



' unifier 

I 

{E',G') 



graph of 
dependencies . 

(D,G) 



rewrites to 



' graph of 
t dependencies 
{D',G') 



Example 3. Consider the following set of equations 



XiYid = acX3d XiY2d = aX2Ysd 
X 2 Yed = bcX 3 d X 2 Y 4 , d = b XiY;, d 
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The graph of surface dependencies is 




Now either (j{Xi) = \x.x, and we already have the description of a variable 
instance, or we can apply a compatible rewriting step, to the redex 0 {-^ 1 } 

{X 2 }, to obtain the following graph: 




Now, we have an inconsistency, and we can apply Lemma 9 to ensure that 
either a'{X[) = Xx.x or a'{X 2 ) = \x.x. Applying Lemma 13, in the first case, 
we obtain cr(Xi) = Xx.ax, and in the second case (t(A' 2 ) = Xx.x. Now, we have 
the instance of some variable that can be instantiated in the equations, and we 
can repeat the process to obtain instances of other variables. 

Theorem 2. Let a be a size-minimal lazy unifier of {E, G) with exponent of 
periodicity not exceeding k. Then there exist a variable X in E, and a singleton 
grammar G' , deriving a{X) and such that: 

|G'| < |G| + C>(|A|2depth(G) +logfc) 
depth(G') < depth(G) + G(log k + log lAl) 

Proof. If the set of equations E is not simplified, we can apply Lemma 7 in 
order to obtain an equivalent set of simplified equations. This transformation 
implies a worst-case increase of order 0{\E\ depth(G)) on the size of G, which 
is compensated by the increase of order 0{\E\'^ depth(G) -I- log k) stated on the 
Theorem. 

Let (Ai,Gi) = (E,G), cti = tr, and Di be the graph of dependencies of E\. 
If Lemmas 8, 9 and 10 are not applicable, then there exists a redex in the graph 
D\. Then either there exists a redex incompatible with cri, or all redexes are 
compatible. In the second case, we can rewrite Di ^ D 2 , and use Lemma 13 to 
find a new substitution (T 2 , and set of generalized equations {E 2 , G 2 ). Repeating 
this argument, we can obtain a diagram of the form: 

CTi ► CT2 • • • Cr„_i ► 



{Ei,Gi) ► (£’2, G2) ■ • • (A„_i, G„_i) 



{En, Gn) 



{D^,G^) 



^ (£ 2 , G2)- • '{Dn-l, Gn-l) 



^ {Dm Gn) 
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where Dn either satisfies Lemmas 8, 9 or 10, or contains a redex incompatible 
with (T„. Now, either using Lemmas 8, 9 or 10, if does not contain redexes, or 
using Lemma 12, if contains an incompatible redex, we can find the instance 
<T„(X) of some variable X of En- Using the bounds of Lemmas 8, 9, 10 and 12, 
there exists a singleton context-free grammar G'^ that generates cr„(X) and 
S3itlsflGS * 

\G'n\ — \Gn\ + depth(G„) -I- |_D„| -|- [log |U„|] -|- 2 [logA:J 
depth(G[j) < depth(G„) -fi [logfc] -fi [log |L>„|] -fi 1 

Notice that the worst bounds are given by Lemma 8. 

By Lemma 11 we have n < |Uip, and using Lemma 6 (see Definition 7), we 
have 

|G„| < |Gi| + |Di|2depth(Gi) 
depth(Gn) = depth(Gi) 

Moreover, the size of the dependence graph does not increase during the rewriting 
steps, therefore \Dn\ < \Di\. Notice that it is possible that X would not be a 
variable of E\. In this case, X will be a variable with primes, say X^'^'> with 
m < n. Then it is possible to construct the instance (7i{X) from cr„(X(™)) 
as (Ti{X) = Xx.Wai ■ ■ ■ Wa^o'n(X^'^^) X, where Wa^ is the word generated by a^, 
and this is a non-terminal symbol of Gi C G„. Therefore, if we already have a 
grammar generating we can construct a grammar generating ai{X) 

by simply adding new rules. In the worst case, this increases the depth of the 
grammar by [log(m -|- 1)] , and its size by m. 

Summarizing, we can find a grammar G' ^ G generating a\{X)^ for some 
variable X of U, and satisfying: 

\G'\ < |G|-f |D|2depth(G) + |D|+depth(G)+ [log|D|] +2[logfcJ +|D|2 
depth(G') < depth(G) -I- [logfc] -|- [log |D|] + [log(|Dp -|- 1)] 



Using orders: 



\G'\ < |G| -fiG(|D|2depth(G)-filogfc) 
depth(G') < depth(G) -I- G(log k + log |D|) 



Since \D\ is the number of edges in the graph of dependencies, and \E\ the number 
of symbols in the equations, by construction of the graph of dependencies from 
the equations, we have |D| < jUl. □ 



7 Main Results and Some Remarks 

Theorem 2 states that, given a generalized set of equations {E, G), we can build 
a new grammar defining the instance of some variable of E. Then we can instan- 
tiate this variable in the equations in order to obtain a new set of equations with 
one variable less. This process does not increase the size of the equations, since 
we use just one non-terminal symbol on the grammar to describe the instance 
of the variable. We can repeat N times this process, being N the number of 
variables, bounded by the original size of the problem \E\. The increase on the 
depth of the grammar is N Oilogk) (being k = the bound on the expo- 

nent of periodicity), thus 0{\E\'^). The increase on the size of the grammar is 
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N 0{\E\^ depth(G) + log A). Although it depends on the depth of the grammar 
(see Remark 2), it has order 0{\E\^). This allows us to conclude: 

Theorem 3. For any solvable generalized set of equations {E,il}), there exists 
a lazy unifier {a, G) such that the size of {a, G) is polynomially hounded on the 
size of E, in fact |cr| = 0{\E\), |G| = 0{\E\^), and depth(G) = 0{\E\'^). 

Theorem 3 proves the existence of a polynomially bounded solution for every 
solvable MSOU problem. Now we have to prove that checking if a substitution 
is a solution can be performed in polynomial time. Given a substitution, we 
instantiate the equations. This will remove all variable occurrences, and it will 
not increase their sizes, because every variable is replaced by just one symbol of 
the grammar (in some cases, their argument are removed, but this decreases the 
size). With a small increase of \E\ (according to Lemma 4) on the size of the 
grammar, we can obtain a new grammar defining both sides of every equation, 
and use Plandowski’s Theorem 1 to check their syntactic equality. 

Corollary 1. Monadic Second-Order Unification is NP-complete. 

Theorem 4. Monadic Second-Order Matching is NP-complete. 

Note that the proof of NP-hardness of MSOU in [SS04] is not a MSO- 
matching problem, so the proof of Theorem 4 requires a different encoding. We 
also use the one-in-three-sat problem, which is known to be NP-complete. We 
associate a pair of second-order variables Xp, Yp to every propositional variable 
p, and use a pair of equations Xp Ypb = ab and Xp YpC = ac, to ensure that 
their values are Xx.ax, interpreted as true, or Xx.x, interpreted as false. Then, 
we encode every clause p V g V r as Xp Xq X^ b = ab. 

Remark 2. Theorem 3 clarifies the increase of the size of the grammar represent- 
ing the solution of a set of equations, after instantiating N variables, according 
to Theorem 2. This Theorem fixes this increase with respect to the size of the 
equations, the logarithm of the upper bound on the exponent of periodicity, and 
the depth of the grammar. The question is then: Could we avoid the use of the 
depth of the grammar? The answer is no. For instance. Lemma 6 says that, if 
we want to define a prefix of some word defined by a grammar G, in the worst 
case, we can keep the depth, but we may need to increase the size of G' as 
IG'I < |G| -L depth(G). If we only use the size of the grammar to characterize 
it, then in the worst case we may be forced to duplicate the size of the grammar 
|G'| < 2 |G|. Each time that we instantiate a variable, it can be necessary to 
define a new prefix, therefore, in the worst case, the size of the resulting gram- 
mar would be 2^ , being N < \E\ the number of variables. This would result in 
an exponential upper bound on the size of the grammar. 

8 Conclusions 

In this paper we prove that Monadic Second-Order Unification (MSOU) is in 
NP using a result of Plandowski about context-free grammars [Pla94,Pla95] . 



Monadic Second-Order Unification Is NP-Complete 



69 



This result, together the NP-hardness of the problem [SS04] proves its NP- 

completeness. As we mention in the introduction, MSOU is a specialization of 

Bounded Second-Order Unification (BSOU). This suggests us that some of the 

ideas contained in this paper could be used to try to prove that BSOU is in NP. 
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Abstract. In this paper, we propose a matching algorithm for terms 
containing some function symbols which can be either free, commnta- 
tive or associative-commntative. This algorithm is presented by inference 
rules and these rules have been formally proven sound and complete, and 
decreasing in the COQ proof assistant while the corresponding algorithm 
is implemented in the CiME system. Moreover some preparatory work 
has been done in COQ, such as proving that checking the equality of two 
terms modulo some commutative and associative-commutative theories 
is decidable. 

1 Introduction 

Nowadays, the communities of automated deduction and of proof theory are 
quite close, and it is possible to consider the integration of rewriting modulo AC 
into proof assistants. In this setting, it is crucial to use a reliable AC matching 
algorithm for the rewriting embedded in the assistant in order to retain the 
confidence in the validated proofs. In this paper, we present such an algorithm, 
which is based on inference rules. These rules are sound and complete, and a 
formal proof of this has been done in the COQ proof assistant [9]. Moreover, each 
rule has been proven strictly decreasing with respect to the multiset extension 
of a well-founded ordering^. As a preliminary work, terms, substitutions, and 
equality modulo AC have been defined and equality modulo AC has been shown 
to be decidable in COQ. The whole COQ development is more that 10000 lines 
long, and it could probably be shortened by using some more well-chosen lemmas. 

The corresponding algorithm is used in CzME for one year, and seems rea- 
sonably efficient. A key point is that no copy of the subject, nor of the pattern 
terms has to be done before running the algorithm itself, in order to avoid mixing 
pattern variables which can be instantiated and subject variables which should 
be considered as constants. Compared with some previous version of the algo- 
rithm which needed copying the subject, the benchmarks times has been divided 
by 2, even if a lazy copy was used. 

The paper is organized as follows: first some basic notions are recalled in 
Section 2, and then the inference rules are presented in section 3. In Section 4, 
we discuss the main difficulties encountered during the formal proof, and finally 
we conclude in Section 5. 

^ However, the fact that the multiset extension itself is well-founded (Dickson’s 
Lemma) has not been formally proven (yet). 
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2 Preliminaries 

We assume that the reader is familiar with the basic notions of term algebra, 
substitution and equational theory as surveyed in [4]. In the following we are 
given T , a signature, X an infinite set of variables, and £ an equational theory 
defined over the term algebra T{!F,X) by a disjoint union of set of axioms of 
the form 

C(+) = {x + y = y + x} or AC(+) = | ^ > 

where + is a binary symbol which belongs to T . 

An equational step is a pair of terms (s,t) such that there exists an axiom 
/ = r in the above set, a position p in s and a substitution a such that the 
subterm of s at position p is equal to la, and t = s[ra]p. This is denoted by 
s i — > t. £ is the reflexive, symmetric and transitive closure of i — >. In the 
following (s, t) G £ will be denoted as s =£ t, and even s = t when there is no 
ambiguity. 

It is well-known folklore that =£ is decidable when the underlying set of 
axioms contains only C and AC. The most obvious proof is that all the terms in 
an equivalence class have the same size and the same multiset of function symbols 
and variables, hence every equivalence class is finite, and can be computed by 
saturation. However, in practice, this is not how one checks that two terms are 
equal (modulo): terms are recursively flattened under the AC function symbols 
and the arguments under C and AC symbols are sorted with respect to a total 
ordering. Two terms are equal if and only their canonical forms are identical. 
This has been formally proven by the author within the COQ proof assistant, 
see the section 4 for some more details. 

The problem we are tackling with is, given two terms p and s, to find the 
substitutions cr such that pa = s. Since the class of s is finite, so is the set of 
solutions. Several algorithms have been proposed to compute it [6, 7, 3, 1, 2, 5, 8]. 
The one which is presented here is based on inference rules and its core has been 
proven to be sound and complete in COQ. 

We use here a slightly more general definition, where a matching problem M 
is considered as a conjunction of n pairs of terms p\ = si Ap 2 = S 2 A. . .Ap„ = Sn, 
and a substitution cr is a solution of P whenever for all i such that 1 < i < n, 
Pia = Si, where = denotes the equality modulo (C or AC). The rules presented 
below are using a more detailed structure, as defined below: 

Definition 1. A simple matching problem M consists in 3 parts: 

— the unsolved part U , a conjunction of pairs of terms, 

— the partly solved part P, a conjunction of quadruples {x, -I-, y, s), where x and 
y are variables, + an AC function symbol and s is a term. Sometimes, this 
quadruple will also be denoted by x = y + s, 

— the solved part S, a conjunction of pairs of terms, where the first term is 
actually a variable. 
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Init 



Pi = Si Ap2 = S2 A ... Ap„ = s„ 

Pi = Si Ap 2 = S2 A . . . AJ5„ = s„,0,0 



Extract^ 



3y i^,P,S) 

3y (id, (0,P,S)) 



where id denotes the identity substitntion. 



Extracts 



3y (g, (0,P,x = sAg)) 
3y ({x !->• s} © cr, (0, P, S) 



where {x i— >■ s} © <t denotes the substitntion whose domain is the domain 
of a union {x}, and which is equal to a, excepts that it maps x onto s. 



Extract p 



3y3y (u, (0, x = y + s A P, 0)) 

3y ({x i-> ya + s} © ^ (0: P’ I 



Extract 



(© ( 0 , 0 . 0 )) 

a 



^ 3y(p = sAU,P,S). 

tail ^ -j- ^ it no other rule can apply. 

Fig. 1. The rules for the initialization, the extraction of solutions, and failure cases. 



A substitution a is a solution of M whenever 

— W{p, s) G U{M) pa = s, 

— V(x, +, y, s) G P{M) xa = ya + s, 

— V(x, s) G S{M) xa = s. 

A matching problem is a pair consisting of a list y of existentially quantified 
variables and a simple matching problem M , and is denoted as 3yM . 

A substitution a is a solution ofByM, whenever there exists a substitution a' , 
such that a' is a solution of M and Vx x ^ y xa = xa' . 



3 Rules 

Since AC equality is checked via the identity of canonical forms, the terms han- 
dled by the rules are in canonical form. Moreover, for sake of readability, when 
+ is an AC function symbol and ti + . . . + is the canonical form of a well- 
formed term, we allow to write the term + . . . + tk-i + t^+i + • ■ • + in, with the 
convention that when the list of subterms ti, . . . , tk-iAk+i, ■ ■ ■ ,tn is reduced to 
a singleton t, ti + . . . + tk-i + tk+i + . . . + i„ actually denotes t. Notice that this 
list cannot be empty. The rules are split into several subsets: 

— in Figure 1, the rule Init builds a matching problem from a set of equations 
to be solved, the rules Extract build a solution from a problem with an 
empty solved part, and the rule Fail apply whenever no other rule can be 
applied. 




A Certified AC Matching Algorithm 



73 



A/r 3y{x = s AU,P,x = s A S) , 

Merges ' ..r p ^ if s = s 

3y[U, P,x = s AS) 



Clashs = ^ ^ 



Mergep 



3y{x = Si + . . . + s„ AU,x = y + s' A P, S) 

3y{y = Si + . . . + Sfc_i + Sfc+i + . . . + s„ A 17, a; = i/ + s' A P, S') 

if + is AC, Sk = s' 



, 3y(x = s A U,x = y + s' A P, S) , 

Clashp ± + 



Solve 



3y{x = sAU,P,S) 
3y(U, P,x = sAS) 



if x does not occur as a left member of a pair in S, nor in P 



Fig. 2. The rules for the case where the pattern term of the first unsolved equation is 
a variable. 



~ in Figure 2, the rules apply to problems where the pattern term of the 
first unsolved equation p = s is a variable x. Merges and Clashs (resp. 
Mergep and Clashp) check the compatibility of s with the assigned plain 
(resp. partial) value of x. Solve simply moves the equation in the solved 
part whenever x has no value yet. 

— in Figure 3, the rules apply on problems where the pattern term of the first 
unsolved equation is not a variable. Clash and Dec are the usual rules, and 
Decc is the syntactic decomposition modulo commutativity. All the other 
rules apply to an equation pi + . . . + p„i = si + . . . + s„ where + is AC: 
when Pi is a variable x, ACs= E^nd ACs^ (resp. ACp^ and ACp^) ensure 
the compatibility of pi + . . . + Pm = si + . . . + s„ with the assigned plain 
(resp. partial) value of x. AC^ and AC= respectively assign a single si and 
several s^s to x when x has no value yet. When p\ is not a variable, AC 
non-deterministically assigns a single Si to it. 

Most of the rules are deterministic, but a few of the last subset are not: DeCf;^, 
AC, ACp^, AC^ and AC=. In these latter cases, all possibilities have to be 
developed in order to get a complete algorithm (don’t-know non-determinism) . 



3.1 The Algorithm 

The corresponding algorithm is quite simple: 

~ from a set of equations to be solved, build a matching problem using the 
rule Init. 
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^y(f(Pl,---,Pn) = g(si,...,Sm) AU,P,S) 



a f^g 



^y{f{pi,---,Pr.) = nsi,...,s„)AU,P,s) 
3y(pi=siA...Ap„ = s„AU,P,S) 

n = 0) 



if / is free or a constant (that is 



Decc 



3y(f(pi,p2) = f(si,S 2 )AP,P,S) 
3y(pi = Si Ap 2 = S(i niod 2 )+l A U, P, S) 



if / is C, i = 1 or i = 2 



By{x+p 2 + ...+P'm, = si + ... + Sr,AU,P,x = sAS) 

3y(p2 + . . . + Pm = Si + • • . + Sfc_l + S)c +1 + ... + Sn A U, P, X = S A S) 
if + is AC, m < n, Sk = s 

3y{x + P 2 + ■ ■ ■ + Pm = Si + . . . + S„ A U, P, X = s'l + . . . + A S) 

3y{p2 + . . . + Pm = s'l + • . • + s"„ A U, P, X = s'l + . . . + s'„, A S) 

if + is AC, 1 < n'ra m — 1 <n — n , {s'/ . . . s///} U {s/ . . . s/<} = {si . . . Sn}, 
where U is the union of multisets. 

^y{x + P 2 + ■ ■ ■ + Pm. = Si + . . . + Sn AU,x = y * s A P,S) 

3y{y = S 2 *. . .*s// Ap 2 + . . .+Pm = si + . . . + si,_i+Sfc+i + . . .+s„ AU,x = y * s A P, S) 

+ is AC, m < n, + 7 ^ *, sj, = s * * . . . * s// 



3y{x + p 2 + ■ ■ ■ + Pm = Si + . . . + s„ A U, X = y + s A P, S) 

3y{y + p 2 + . . . + Pm = Si + . . . + Sk-i + Sk+i + ■ ■ . + s„ A U, x = y + s A P, S) 

+ is AC, m < n, Sk = s 

3y(x + p 2 + ...+ Pm — Si + ... + s„At/,P,S) 

^ 3y{p2 + . . . + Pm = Si + . . . + S)c_i + Sfc +1 + . . . + s„ A C7, P, X = Sfc A S) 

+ is AC, m < n, X does not occur as a left member of a pair in 5, nor in P. 

3y{x + P2 + ■ ■ ■ + Pm = Si + . . . + Sn A P, P, 5) 

3y3y{y + p 2 + . . . + Pm = si + . . . + Sk-i + Sk+i + ■ ■ ■ + s„ A U, x = y + Sk A P, S) 

+ is AC, m < n, X does not occur as a left member of a pair in 5, nor in P, 
and y is a new (left) variable. 

3y(g{p') + P2 + ■ ■ ■ + Pm = Si + . . . + Sn A P, P, 5) 

^yig(p') = Sk Ap2 + ■ ■ ■ + Pm = Si + . . . + Sk-1 + Sfc + 1 + . . . + S„ A P, P, S) 

+ is AC, 1 < m < n, Sk(Pj = g 

Fig. 3. The rules for the case when the pattern term of the first unsolved equation is 
not a variable. 
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— apply the rules Merges, Clashg, Mergep, Clashp, Solve, Clash, Dec, 
Decc, ACs,^, ACs^, ACp^, ACp=, AC^, AC=, AC as far as possible. 
If no rule is applicable, and the unsolved part is not empty, then apply Fail. 

— if the unsolved part is empty, apply Extract^ in order to build the solution, 
then Extracts, Extractp as far as possible, and eventually Extract. 

Since some of the rules have to be applied non-deterministically, the algo- 
rithm actually handles disjunction of problems, and a rule transforms a disjunc- 
tion of problems by replacing one of the problems by all the problems it can 
produce by the non-deterministic choices (or even none in the case of failure 
rules). This process can be seen as developing a (search) tree; hence there are 
many possible strategies, such as breadth- first, depth-first search, and so on. 

Moreover, notice that the unsolved equations can actually be considered as 
a set, that is, one may pick any equation, and consider it as the first one, which 
enlarges the possible strategies. The solved and partly solved equations are not 
plain sets, since any variable can occur only at most as a left-hand side in one of 
them. In order to properly extract the solutions from a matching problem where 
the unsolved part is empty, it is important to keep record of the ordering of 
the introduction of the existentially quantified variables, hence the partly solved 
part should be seen as a stack. 

By definition of the solutions of a matching problem, it is clear that they are 
an invariant of the rule Init. 

3.2 Correctness of the Second Step of the Algorithm 

The rules Merges, Clashs, Mergep, Clashp, Solve, Clash, Dec, Decc, 
ACs^, ACs^, ACp^, ACp^, AC^, AC=, AC and Fail do not build some 
ill-formed problems, they are decreasing, sound and complete. The first, the 
second and the third properties seem quite trivial. We shall give some hints for 
the proof of the last property. 

Lemma 1. If a rule among Merges, Clashs, Mergep, Clashp, Solve, 
Clash, Dec, DeC(s, ACs,^, ACs=, ACp,^, ACp— , AC,^, AC—, AC can 

apply to a matching problem 3y{U, P, S) such that 

— every term occurring in U , P and S is the canonical form of a well-formed 
term, 

— any variable occurs at most once as a left value in P and S, 

— all the quadruples (x,-\-,y,s) in P are such that is AC and s(e) yf -I-, 

so is (are) the resulting problem(s). 

Lemma 2. The rules Merges, Clashs, Mergep, Clashp, Solve, Clash, 
Dec, Decc, ACs^, ACs=, ACp^, ACp^, AC^, AC=, AC are decreasing 
with respect to (the multiset extension of) the measure A4: 

n 

M{pi = Si A . . . Apn = Sn,P,S) = E size{pi) + size{si) 

2=1 
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Lemma 3. Let M he a well-formed matching problem in the sense of Lemma 1. 
If a is a solution of M' , and M' is obtained from M by applying one of the rules 
Merges, Clashs, Mergep, Clashp, Solve, Clash, Dec, Dec<y, ACs^, 
ACs=, ACp^, ACp=, AC^, AC=, AC, then a is a solution of M . 

Sketch of the proof. 

The proof is done by cases on the rule which has been applied. We shall examine 
in details only one case, the others being similar. Let us assume that the rule is 
ACp^, that is 



M = 3y{x + p 2 + • ■ • + Pm = Si + . . . + s„ A [/, a; = 7/ * s A P, S') 

M' = 3y{y = S 2 *. ■ .*s'„, Ap 2 + - ■ .+Pm = si + . . . + Sfe_i + Sfc+i + . . . + s„ A U, 

x = y * s A P, S), 

and + is AC, m < n, ^ Sk = s * s '2 * ■ ■ ■ * s'^, . By definition cr is a solution 
of M' means that 

1. ya = S 2 *. ■ .*s),,, 

2. (P2+- • •+Pm)c = Si + . . . + Sfc_i + Sfe +1 + . . . + s„, 

3. \/p = s € U, pa = s, 

4. xa = ya * s, 

5. V(x',-h',y',s') € P, x'a = y'a -h' s', 

6. Vx' = s' € S, x'a = s'. 

We shall prove that ct is a solution of M, that is 

— (X +P2 + - ■ •+Pm)CT = Si + . . . + S„, 

— \/p = s € U, pa = s, 

— xa = ya * s, 

— y{x',-\-',y',s') e P, x'a = y'a+'s', 

— Vx' = s' G S, x'a = s'. 

Let us consider the first item, the others being obvious: 

(x + P2 + - ■ ■+Pm)cr = Xa-\- (P2 + - ■ ■+Pm)o- 

= {ya * s) {p 2 -\-. . ■3-Pm)cr by (4) 

= {{s' 2 *. . .*s'„,) * s) + (P 2 + - • ■+Pm)cr by (1) 

= (s * s' 2 *. . -*sjj/) + (p 2 + - • •+Pm)cr * is AC, by Lemma 1 
= Sfe + (P 2 + - • ■+Pm)cr by hypothesis 

= Sfe + si + . . . + Sfc_i + Sfc+i + . . . + s„ by (2) 

= Si + . . . + s„ + is AC, by hypothesis 

□ 

Lemma 4. Let M he a well-formed matching problem in the sense of Lemma 1. 
If the unsolved part of M is not empty and if a is a solution of M , then one 
of the rules Merges, Clashg, Mergep, Clashp, Solve, Clash, Dec, Decc, 
ACs^, ACs=, ACp^, ACp=, AC^, AC=, AC can he applied, and there 
exists M' among the resulting problems such that a is a solution of M' . 
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Proof. By hypothesis, the unsolved part of M is not empty, hence let p = s 
be the first unsolved equation of M. We shall reason by cases over the form of 
p = s. It should be noticed that once the first unsolved equation of M is fixed (or 
chosen), only one rule can apply. In the following, we assume that cr is actually 
a solution of the underlying simple matching problem of M. We shall discuss 
the problem of existentially quantified variables only when the rule AC= can be 
applied, since all the other rules do not modify the list of existentially quantified 
variables. 

1. If p is a variable x, there are three disjoint sub-cases: 

(a) If there is an equation of the form cc = s' in S, then either s and s' are 
equal (modulo AC), or they are not. 

In the first case, the rule Merges applies and it is obvious that ct is a 
solution of the resulting problem. 

In the second case, the rule Clashs applies, and a cannot be a solution 
of M, since this would imply s = xa = s' . 

(b) If there is an equation of the form x = y + s' in P, since M is a well- 
formed problem, -|- is an AC function symbol. Either the top symbol of 
s is equal to -I- or not. In the first case, if the requested conditions are 
fulfilled, the rule Mergep applies, else Fail: 

— In the Mergep case, there exists a subterm of s = si -I- . . . -I- s„ 
which is equal to s' , s = s\ + ... + Sn = xa = ya + Sk- Hence 
Si -I- ... -I- Sk-i + Sfe+i -I- . . . -I- s„ = ya, and ct is a solution of the 
resulting problem. 

— In the Fail case, there does not exist any subterm SfcOfs = Si-|- 
. . . -|- s„ which is equal to s', which contradicts the fact that ct is a 
solution, in particular that s = ya + Sk- 
in the second case the rule Clashp applies, and a cannot be a solution 
of M, since this would imply s = xa = ya + s' , and two terms equal 
modulo AC have the same top symbol. 

(c) otherwise. Solve applies, and a is obviously a solution of the resulting 
problem. 

2. If p is not a variable term, then either the top symbol of p and s are equal or 

not. In this latter case, the rule Clash applies, and a cannot be a solution 

of M, since two terms equal modulo AC have the same top symbol, and p 

and pa have the same top symbol. 

Otherwise, 

(a) if the top is a free function symbol, then the rule Dec applies, and 
obviously ct is a solution of the resulting problem, since no C or AC 
axioms can be applied at the top of the terms in an equational proof of 
pa = s. 

(b) if the top is a C function symbol, Decc applies and since commutativity 
is a syntactic, then ct is a solution of one of the two resulting problems. 

(c) if the top is an AC function symbol -I-, then p = pi pm and 

s = Si -I- ... -I- s„. There are two sub-cases, according to pi the first 
subterm of p: 
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— if Pi is a variable x, then we split into tree disjoint sub-cases, as for 
the case when p is variable term. 

• if there is an equation of the form a: = s' in S, since cr is a solution 
of M, 

S = Si + . . . + Sn = P(X = PlCr + P2Cr PmCr 

= xa + P2<J -I- ... -I- Pra<J 
= s' +P2<J+ ■ . ■ +PmO- 

There two disjoint cases: either the top symbol of s' is equal to 
-I-, or it is different. 

In the first case, s' is of the form s ^ -I- . . . -I- sjj, , and si -I- . . . -I- s„ = 
s'i + . . . + s'^, +P2<J + ■ ■ ■ +PmO'. Since we consider only flattened 
terms, the Sj’s and the s'’s do not have -I- as top symbol, hence 
the multiset {si,...,s„} contains {s'j^, . . . , sj^,}: there exists a 
multiset {s", . . . , s"„} such that 

{si, . . . , S 7 ^} {'^ 1 ; • ■ • 7 b) {S]^ ; • ■ ■ j ^n"'\ 

This means that the rule ACs^ applies. Moreover s"-|-. . = 

P2<J -I- ... -I- PmCr, hence cr is a solution of the resulting problem. 
In the second case, s'{e) ^ -I-, since we consider only flatten 
terms, the Sj’s do not have -I- as top symbol, hence the multiset 
{si, . . . , s„} contains s', that is, there exists k such that s' = Sk- 
Moreover, after flattening the PiCr’s, the number of subterms of 
s' +p2Cf+ ■■ ■ +Pm <7 may only increase, which means that m < n. 
Hence the rule ACs^ applies to M. Since si-|-. . .-|-Sfc_i-|-Sfc+i-|- 
. . . -I- s„ = p2<J -I- ... -I- Pmcr, a is also a solution of the resulting 
problem. 

• if there is a quadruple {x,*,y,s') in P, since cr is a solution of 
M, 



S = Si + . . . + Sn = per = Pia + P2<J -I- ... -I- PmCr 

= xa + p2a -I- ... -I- pma 
= {ya * s') -I- p2a -I- ... -I- Pm<J 

If * = -I-, Si -I- ... -I- s„ = j/cr -I- s' -I- p2a -I- ... -I- PmCr, and the 
top symbol of s' is not -I- (M is well-formed). This implies that 
s' is contained in {si, . . . , s„}, that is there exists k such that 
Sk = s'. Moreover, after flattening ya and the Pia's, the number 
of subterms of j/cr-|- s'-|-p2cr-l- . . .+Pma may only increase, which 
means that m < n. Hence the rule ACp^ applies to M. Since 
Si -I- ... -I- Sfc_i -I- Sfc+i -I- ... -I- s„ = per -I- P2a -I- ... -I- PmCr, a is 
also a solution of the resulting problem. 

If * -I-, per * s' is contained in {si, . . . , s„}, that is there exists 

k such that Sk = ya * s'. Moreover, after flattening the Pia's, 
the number of subterms of {ya * s') -l-p2cr -I- . . . -l-pmcr may only 
increase, which means that m < n. Hence the rule ACp^ applies 
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to M. The top symbol of s' is not equal to *, hence s' is contained 
in the multiset of the direct subterms of Sfe = s'^ * . . . * sj^,. We 
assume that s' = s'j^ (without loss of generality, after reordering 
the subterms). Hence ya = s'2 * ■■■ * s'^, . We have also si + . . . + 
Sfe_i + Sfc+i + . . . + s„ = P2U + . . . + PmO', hence ct is a solution 
of the resulting problem. 

• otherwise x does not occur as a left-hand side of an equation 
neither in S nor in P. <t is a solution of M: 

s = Si + . . . + Sn = pa = Pia + P2a -h . . . -h p^a 
= xa + p2a -h . . . -h pma 

After flattening xa and the pia’s, the number of subterms in 
xa + p2a -h . . . -h pma may only increase, hence m < n. 

If the top symbol of xa is equal to -I-, then flattening xa actually 
strictly increases this number of subterms, hence m < n. Both 
rules AC= and AC^ non-deterministically apply. We shall prove 
that CT is a solution of one of the resulting problems of AC=. 
The multiset {s'^, . . . , sj^,} of direct subterms of xa is included in 
{si, . . . , s„}: there exists k such that = Sk, and ct is a solution 
of M(., the fc-th problem yielded by AC=: y is a new variable 
which does not occur in M, and is existentially quantified in M^. 
This means that we shall prove that there exists ct', a solution of 
M'f., which is equal to ct, except maybe on y. The chosen value 
for ya' is S2 -l- . . . -I- . It is clear that with this value, 

ya' + pia' + P2a' -|- . . . -I- Pma' = si Sfc_i -|- Sfc+i -|- . . . -I- 

xa' = ya' + Sk, 

that is, that ct' is a solution of M(.. 

If the top symbol of xa is not equal to -I-, the rule AC^ non- 
deterministically applies (and maybe also AC=). We shall prove 
that CT is a solution of one of the resulting problems of AC^ . xa 
is included in the multiset {si, . . . , s„}, there exists k such that 
xa = Sk- Hence p20’-l-. . -+Pma = si-f. . .-|-Sfc-i + Sfe-i-i + - • . + Sn- 
CT is a solution of the fc-th problem yielded by AC^. 
if the first subterm of p is not a variable, it is a term g{p'), where g 
is distinct from -I-, since p is a flatten term, ct is a solution of M: 

s = Si + . . . + Sn = pa = Pia + P2a ... -I- p^CT 

= g{p'cr) + P2CT ... -I- Pma 

After flattening the pact’s, the number of subterms in g(p'cr) +p2a + 
. . . Pma may only increase, hence m < n, hence the rule AC non- 
deterministically applies for the terms Sk such that Sfc(e) = g. We 
shall prove that ct is a solution of one of the resulting problems. 
g{p'cr) is included in the multiset {si,...,s„}: there exists k such 
that g{p'cr) = Sk (this implies that Sfc(e) = g) and ct is a solution of 
M'j., the fc-th problem yielded by AC. □ 
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3.3 Correctness of the Third Step of the Algorithm 

So far, we have proven that the first two steps of the algorithm are terminating, 
sound and complete. From a conjunction of equations to be solved, they build a 
disjunction of well-formed matching problems where the unsolved part is empty. 
It remains to prove that the last step, which extracts a substitution from such 
problems is also terminating, sound and complete. For that purpose, we need 
to define what is a solution of a pair made of a substitution and a matching 
problem: 

Definition 2. Let (tt, M) be a pair of substitution and simple matching problem. 
A substitution a is a solution of (tt, M) if 

— a extends tt, that is the domain of a contains the domain of tt, and for all 
X in the domain of tt, xtt = xa. 

— a is a solution of the matching problem M. 

A substitution a is a solution of 3y{TT, M) whenever there exists a substitution 
a' , such that 

— o' is a solution of{TT,M), 

— \/x X ^ y xa = xa' . 

The fact that the rules for extracting the solutions are sound relies on the 
following 

Lemma 5. Let M' be a matching problem obtained from (C/o,0,0) by apply- 
ing the rules Mergeg, Mergep, Solve, Dec, Decc, ACg^, ACg^, ACp^, 
ACp^, AC^, AC= and AC: M' is of the form 

■■■3yk- ..3yi{U,Xn = s„ A . . . A A . . . A -f i Si,5') 

and Vfc, k' k' <k => Xk' yf yk- 
Sketch of the proof. 

The proof is by induction over the number of applications of the rules. The only 
rule which modifies the existentially quantified variables and the partly solved 
part of a problem is AC=, which transforms 

3y„_i . . .3yi{U,Xn-i = j/„-i +„-i s„_i A . . . A xi = j/i -fi si,S) 

into 

3y„3y„_i . . .3yi{U' ,Xn = yn+nSn/\Xn-l = A. . . AXi = 1/i -f i Si , S") 

and is a new variable, which means in particular that Wk' k' < n^^Xk' yf y-n- 
By induction hypothesis, we have 

Vfc, k' k' <k <n — 1 => Xk' yf yk, 

which completes the proof. □ 

The fact that the rules Extracts and Extractp are terminating is obvious, 
since they are decreasing with respect to the measure defined in Lemma 2. The 
rules Extract^ and Extracts are sound and complete since they obviously do 
not alter the set of solutions of a matching problem. 
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Lemma 6. Let 3y' { tt' , M') he the result of the application of the rule Extractp 
to 3y3y{TT, M), obtained at the third step of the matching algorithm. A substitu- 
tion is a solution of3y3y{T:,M) if and only if it is a solution of 3y' {tt' , M') . 

Proof. In order to have the rule Extractp applicable to 3y3y{Tr, M), M is of the 
form (0,x = i/+sAP,0). Hence tt' = {a: H> x'tt}, 

y' = y and M' = (0, P, 0) . It should be noticed that x ^ Vom{'K), since a variable 
occurs at most once either in the solved part, or in the partly solved part, or in 
the domain of the substitution. 

1. Let us assume that cr is a solution of 3y3y{-K, M), we shall prove that cr is a 
solution of 3y(7r', M'). Since cr is a solution of 3y3y{-K, M), there exists a' a 
solution of (tt, M), such that cr and a' are equal except maybe on y and the 
elements of y. We define a" as cr' except for y. ya" = ya. 

(a) The domain of tt' is equal to the domain of tt, minus y, plus x. By hy- 
pothesis, cr' extends tt; let x' be a variable such that x' G Pom(7r), x' ^ y: 

x'tt' = x'tt by definition of tt' 

= x'ct' cr' extends tt 

= x'ct" x' ^ y hy hypothesis 

Concerning x: 

xtt' = t/tt -h s by definition of tt' 

= ya' -h s cr' extends tt 

= xct' ct' is a solution of M 
= xct" X ^ yhy Lemma 5 

Hence, ct" extends tt'. 

(b) ct" is obviously a solution of (0,P, 0), since ct' is a solution of (0,x = 
y -h s A P, 0), and y does not occur in P by Lemma 5. 

As a conclusion, ct" is a solution of ct and ct" are equal except 

maybe on the elements of y, hence ct is a solution of 3y{Tr' , M'). 

2 . Let us assume that ct is a solution of 3y(7r',M'), we shall prove that ct is 
a solution of 3y3y(7r, M). Since ct is a solution of 3y(7r',M'), there exists 
ct' a solution of {tt', M'), such that ct and ct' are equal except maybe on the 
elements of y. We define ct" as ct' except for y: ya" = yir. 

(a) It is clear that ct" extends tt since 

- yTT = ya", 

— let x' be a variable in Pom(7r), which is different from y; since 
x' G Pom(7r), x' ^ x. 

x'tt = x'tt' x' ^ X, x' ^ y and by definition of tt' 

= x'ct' since ct' extends tt' 

= x'ct" x ' ^ y and by definition of ct" 
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(b) a" is a solution of P since <j' is a solution of P, and y does not occur in 
P. a" is also a solution of a; = y + s: 

xa" = xa' X ^ y and by definition of cr" 

= xtt' cr' extends tt' and x G 2?oto(7t') 

= yrr + s definition of tt' 

= y<j" + s definition of cr" 

Hence a" is a solution ofx = y + sAP. 

As a conclusion, a" is a solution of (tt, M), and a and a" are equal, except 
maybe on y and y, hence cr is a solution of 3y3y(7r, M). 

Theorem 1. The above matching algorithm is terminating, sound and com- 
plete. 

4 Formal Proof 

We now discuss the main difficulties encountered during the formal proof of the 
algorithm. 

4.1 Terms and Equality Modulo 

The terms are defined in COQ in a very natural way, from a set of symbols and 
a set of variables: 

Parameter symbol : Set . 

Parameter variable : Set . 

Inductive term : Set := I Var : variable -> term 

I Term : symbol -> list term -> term. 

The symbols are equipped with an arity, and the notion of well-formed term 
is easily defined. The equality modulo is defined in several stages, 

— first a single equational step at the top of the terms, but where the associa- 
tivity axiom can be used in both ways, 

— then, a single equational step at any position of the terms, 

— and finally, the reflexive and transitive closure of a single step. The closure 
does not need to be symmetric, since the basic relation is itself symmetric. 
Then, the notion of canonical form of a term is defined, with respect to the 

arity: the direct subterms of a term are recursively put in a canonical form, and 
if the top symbol is commutative, they are sorted, if the top symbol is AC, they 
are flattened and sorted: 

Fixpoint CEUionical_f orm (t : term) : term : = 
match t with 
I Var _ => t 
I Term f 1 => 

Term f (match arity f with 

I Free _ => map canonical_f orm 1 
I C => quicksort (map c£monical_f orm 1) 

I AC => quicksort (flatten f (map canonical_f orm 1) nil) 



end. 



end) 
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It was quite easy to prove that when two terms are AC equal, then their 
canonical forms are identical. In order to prove the converse, however, we needed 
an extra assumption, that is that the terms are well-formed. Moreover, the proof 
was very long (2500 lines of COQ script vs 250 lines for the other direction of 
the equivalence), and uses 7 lemmas, each one of them corresponding with an 
axiom of the syntactic presentation of AC. It was then quite easy to prove that 
checking AC equality of two well-formed terms is decidable, by using the fact 
that checking the syntactic equality of two terms is decidable. The proof uses 
two extra assumptions, which are quite reasonable: the equality of variables and 
the equality of symbols are decidable. 



4.2 Matching Modulo 

The modeling part was quite short (300 lines of COQ script) for defining a single 
application of the rules Merges, Clashg, Merger, Clashp, Solve, Clash, 
Dec, Decc, ACs^, ACs— , ACp^, ACp— , AC^^, AC=, AC and Fail. The 
formal proof follows exactly the pattern given in Section 3, that is, a sequence 
of lemmas in order to show that the rules preserve the fact that a problem is 
well- formed (600 lines), they are decreasing (500 lines), sound (1000 lines) and 
complete (1700 lines). 

Most of the proofs actually concern the permutations of the lists of arguments 
of the terms, using lemmas such as “if two non empty lists are equal up to 
permutation, after removing the same element from them, the results are still 
equal up to permutation” . The proofs are quite long since there are many sub- 
cases, even more than expected from the large number of inference rules. For 
example, for an informal proof, it is enough to distinguish whether or not a term 
has a top symbol equal to the AC function symbol of interest. In a formal proof, 
we have first to handle the case of a variable term, and then the non-variable 
case which split itself into two cases according to the top symbol. The convention 
that an AC function symbol applied to a list of arguments actually denotes the 
element of the list, if the list has length 1 also double the number of cases in a 
formal proof. 

There are also some technicalities due to the fact that we have model the 
non-deterministic rules such as AC in order to avoid selecting several the same 
subterm of the subject term multiple times should it occur more than once, since 
this would produce multiple instances of the same new problem. 

The extraction part has not been formally proven yet. 

5 Conclusion 

We have proposed here an AC matching algorithm presented by inference rules. 
An intrinsic advantage of this algorithm is that it can handle directly a sub- 
ject term which contains some variables, even when these variables are shared 
in the pattern: no preliminary renaming has to be done. This is important in 
the framework of completion, for example, since the rewriting for normalization 
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is performed over non-ground terms which may share some variables with the 
rewrite rules. An other advantage of this algorithm is that it is simple enough 
to be modeled in COQ and its core is certified: what remains to be proved is 
the extraction step, and the Dickson’s lemma in order to embed the application 
of a rule into a loop. Once this will be done, one will be able to extract a cer- 
tified code of the formal proof. The algorithm has been implemented in CzME, 
and behaves reasonably well in practice. It has to be mentioned that even if the 
code was quite short and well-understood, the formal proof of the algorithm has 
revealed that the implemented version was not complete, since the part corre- 
sponding to the rule ACp^ was missing. As a conclusion, this paper presents 
the first certified AC matching algorithm, at least to the author’s knowledge. 
This should be a first step to a certified AC unification algorithm, since a lot of 
preliminary work has been done. 
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Abstract. The program Matchbox implements the exact computation 
of the set of descendants of a regular language, and of the set of non- 
terminating strings, with respect to an (inverse) match-bounded string 
rewriting system. Matchbox can search for proof or disproof of a Boolean 
combination of match-height properties of a given rewrite system, and 
some of its transformed variants. This is applied in various ways to search 
for proofs of termination and non-termination. Matchbox is the first pro- 
gram that delivers automated proofs of termination for some difficult 
string rewriting systems. 

1 Introduction 

The theory of match bounded string rewriting, recently developed in [4, 6-8], al- 
lows to apply methods from formal language theory to problems of string rewrit- 
ing. The basic result is a decomposition theorem. It implies effective preservation 
of regular languages, and effective regularity of the set of non-terminating strings 
w.r.t. the inverse system. The program Matchbox contains implementations of 
all of the fundamental algorithms, and allows to apply them in various settings. 
Given a rewrite system. Matchbox searches for proofs and disproofs of a Boolean 
combination of match-height properties of the input, and possibly transformed 
versions of it. 

Since match-bounded systems are terminating, a verification of match-bound- 
edness is a proof of termination. This method can be extended by verifying 
match-boundedness for right hand sides of forward closures only. Another way 
to use match-bounds for deciding termination is to verify match-boundedness 
for the inverse system (with left and right hand sides swapped). For inverse 
match-bounded systems, the set of non-terminating strings is effectively regular, 
so termination can be decided. Again, this idea can be extended by using the 
inverse of the ancestor system instead. 

For the exact computation of the set of descendants, represented as a finite 
automaton, the decomposition theorem gives a procedure that has high complex- 
ity (both in the run time and in the source text). Recently, Zantema developed 
a very efficient algorithm [14] that approximates the rewrite closure of an au- 
tomaton. If this computation halts, termination can be inferred as well - even if 
the approximated match-bound is too large. Matchbox implements a variant of 
this algorithm. 
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2 Theoretical Background 

We cite here the basic definitions and results on match-bounded string rewriting. 
Standard notation from rewriting and formal language theory is assumed. If R 
is a rewriting system over E, we often denote its rewrite relation — >/{ on S* by 
R as well. If the inverse R~ of a rewriting system R has property p, we also say 
that R has property inverse-p. 

We annotate positions in strings by natural numbers that indicate their 
matching height. Positions in a reduct will get height h -|- 1 if the minimal height 
of all positions in the corresponding redex is h. 

Define the morphisms liftc : E* (E x N)* for c G N by liftc : a i— > (a, c), 
base : {E x N)* ^ E* by base : (a,c) a, and height : (E x N)* — > N* by 
height : (a, c) c. 

For a string rewriting system R over an alphabet E with e ^ lhs(i?) we define 
the system 

match(i?) = {^' ^ liftc(r) | (^ — > r) G i?, base(£') = i,c= 1 -I- min(height(^'))} 

over alphabet if x N. For example, the system match(i?) for R = {aa aba} 
contains the rules {aoOo — > aibiai, aoai — > ai6iai,aiao — > aibiai, aiai — > 
026202,0002 ^ oi6iOi,...}, where Xc is shorthand for (a;, c) G if x N. Note 
that match (i?) is an infinite system. 

A string rewriting system R over E with e ^ lhs(i?) is called match-hounded 
for L C if* by c G N if max(height(a;)) < c for every x G match(i?)*(lifto(A)). If 
we omit L, then it is understood that L = E* . 

Proposition 1 (Decomposition Theorem, [10]). For each match-bounded 
string rewriting system R over E there effectively are an alphabet F E E , a finite 
substitution s : E* —>■ F* , and a context-free string rewriting system C such that 
R* = {soC-*)\s- 

Here, we call C context-free if for each rule {l,r) G C we have |?| < 1. The 
decomposition implies that R* effectively preserves regularity of languages, and 
that R~* effectively preserves context-freeness. As an application, we get: 
Proposition 2 ([4]). Given a string rewriting system R, a regular language L, 
and c G N, it is decidable whether R is match-bounded by c for L. 

For a relation p over [/, let Inf(p) = {x G U \ 3°°y : p{x,y)} denote the set 
of elements with infinitely many descendants. 

Proposition 3 ([4,7]). If R is inverse match-bounded, then Inf(i?*) is effec- 
tively regular, and termination of R is decidable. 

For a string rewriting system R over E, the set of forward closures [11,2] 
FC(i?) C E* X E* is defined as the least set containing R such that 

~ if (u,v) G FC(i?) and v w, then (u,w) G FC(i?) {inside reduction), and 
~ if (u,v£i) G FC(i?) and (£1^2 r) G R for strings ^1,^2 G A+, then 
{ui2,vr) G FC(i?) {right extension). 
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Let RFC(i?) = {y I 3x : (x,y) G FC(i?)} denote the set of right hand sides of 
forward closures. It is known [1] that a string rewriting system R is terminating 
on E* if and only if R is terminating on RFC(i?). 

We can obtain RFC(i?) as a set of descendants modulo the rewriting system 

rfc(R) = RU {£i# ^ r | (fi £2 ^ r) G i?, £i , £2 G E+} 

over E U {#}, where right extension is simulated via the end-marker This 
leads to the following termination criterion. 

Proposition 4 ([5, 6]). If rfc(i?) is match-bounded for rhs(i?) • ff*, then R is 
terminating. 

Likewise, we can restrict the language when computing heights for the inverse 
system. The ancestor system of R is defined as 

U { € ^ (r2 I ^ rir2) G i?, ri, T2 G 17+ } 

ancestor(i?) = i? U { ^ > ri) j (^ — *• rir 2 ) G i?, ri,r2Gl7+} 

U { ^ ^ ( 7 - 2 ) I {£ rir2r3) G i?, ri,r2,r3 G 17+ }, 

where ) and ( are two fresh letters. 

Proposition 5 ([8]). //ancestor(i?) is inverse match-bounded for (*• lhs(i?)-)*, 
then termination of R is decidable. 

3 How to Use Matchbox 

As core functionalities, Matchbox inputs a string rewriting system R over E and 
a regular expression for a language L over 17, and it computes (an approximation 
to) an automaton for match(i?)*(lifto(L)), as well as an automaton for Inf(i?“*). 

These basic computations actually consist of a sequence of steps. Basic com- 
putations can be modified and combined, using a very expressive control lan- 
guage. 

The output can be rendered as an HTML document that also includes visu- 
alizations of automata graphs, obtained by tools from the GraphViz suite. 

3.1 Stepwise Computation 

Given R and L, Matchbox computes a sequence of finite automata Aq,Ai,... 
over F7 X N such that Lq = L{Aq) C L(Ai) C ... C match(R)*(Lo), writing 
Lq for lifto(L). Here, L{Ak+i) = R^{L{Ak)) where Rk consists of exactly those 
rules of match(i?) whose left hand side occurs in L{Ak), viz. 

Rk = match(i?) n (factors(L(Afe)) x {E x N)*). 

Note that each Rk is finite and terminating. 

If L(A„) = match(i?)*(lifto(L)) for some n, then R is match-bounded for L, 
and An is a certificate. 

Matchbox also computes Ik = Inf(i?^*) by Proposition 3. A non-empty Ik 
certifies non-termination of R~ . If U = 0 and Ak is closed under rewriting, then 
this proves termination of R~ . 



Johannes Waldmann 



3.2 Example: Computing the Set of Descendants 

In the following examples, we describe how Matchbox is called from the command 
line. Equivalent input options are available in the web interface. 

Here is how to compute match(i?)*(Ln) for Zantema’s System R = — > 

63a3} andL= (a264)*: 



Matchbox aabb bbbaaa — control="bound match" — for="(a"2 b~4)~*" 

(Note that arguments have to be quoted in order to protect them from being 
evaluated by the operating system shell.) The output is 

[("aabb" , "bbbaaa")] : True 
value of ‘bound match’ 
is True, because 

R is match bounded by 2 

for R = [ ( "aabb", "bbbaaa")] 
and L = (a“2 b“4)“* 

with size of closure automaton (non-det , det) : ( 21, 21) 

The following automaton for 
match(i?)*(Lo) is obtained, 
which is rendered in a com- 
pressed notation where arrows 
are labelled by strings (instead 
of letters). The start and end 
state is double-circled. By 
inspection, it can be verified 
that the automaton is closed 
under rewriting. 

In many cases, match-boundedness can be constructively disproved by regular 
sets of self-embedding witnesses [4]. Option — embed=n (for n > 0) instructs 
Matchbox to try and construct such a set. If one is found, bound match returns 
False. Otherwise, the proof attempt will eventually fail (after breaking the limits 
that have been set as configuration parameters). 




3.3 Regular Expressions 

The following notation is available for regular expressions: 

~ atomic expressions: 

• lowercase letters and digits stand for themselves 

• there are some identifiers, starting with an upper case letter: 

* Eps denotes e, 

* Sigma stands for the set S of letters occuring in the rewriting system, 

* and All denotes E* 

• parenthesized compound expressions 
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~ compound expressions, using binary operators (listed in order of precedence) : 

• powers: L ~ e for e a natural number, or *, or +, 

• concatenation: L\ * L 2 , but the * operator can also be omitted, 

• left and right quotient, shuffle: \, /, $ 

• intersection, union, difference and symmetric difference: &, +, <> 

Matchbox computes the minimal deterministic automaton for the corresponding 
language. 

3.4 Example: Computing Inf(i?*) 

Matchbox can check whether 0 = Inf(i?*) as well. 

Matchbox aba baaab — control=" empty-inf match" 

The output is 

[("aba" , "baaab")] : False 

value of ‘empty-inf match’ 
is False, because 

Inf (R~-*) contains Sigma~* (aaba + abaa) Sigma"* 
for R = [ ( "baaab", "aba")] 
and L = Sigma"* 

The language Inf(i?*) has been determined via the decomposition theorem, but 
it can be verified independently, since any non-empty regular language / with 
I C R~ (I) is an effective certificate of non-termination, because it contains only 
non-terminating words. 

To obtain a representation as in the example. Matchbox computes the set 
K of factor-minimal words of / (no proper factor of a, K word is in /) hy K = 
I \ {E ■ I U I • E). (Often K is found to be finite.) Then E*KE* is a nice 
representation for / (or for a superset of / that still is a certificate) . 

3.5 Atomic Computations: Predicates and Transformers 

With bound match and empty-inf match, we have seen two examples of atomic 
computations. In general, an atomic computation is specified by 

~ a predicate that is to be applied to a pair (i?, L) of a string rewriting system 
R and regular language L, 

— and a (possibly empty) sequence of transformations that are applied to (i?, L) 
beforehand. 

Available predicates are 

~ bound match: prove or disprove that R is match-bounded for L (for length- 
preserving systems, also bound change is available [13]) 

~ empty-inf match: prove or disprove that Inf(i?“*) is empty 

— loop: prove that R has a loop (by enumeration of forward closures) 
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The following transformers can be applied: 

~ reverse: reverse the rewriting system, replace R by reverse(i?) 

— inverse: invert the rewriting system, replace R by R~ 

— rfc: replace R by the system rfc(i?), and L by rhs(i?) • #* 

~ ancestor: replace R by the system ancestor(i?), and L by (*Ths(i?)-)* 

For instance, match heights for right hand sides of forward closures of the 
reversed system are computed by 

Matchbox babaaa aaababab — control="bound match . rfc . reverse" 

Here, reverse(i?) is RFC-match-bounded by 1, but R does not seem to be RFC- 
match-bounded (altough Matchbox cannot prove this). 

3.6 The Control Language 

The argument to the — control option is a Boolean expression that describes 
a combination of properties of a rewrite system. Matchbox tries to decide the 
truth value of the expression. 

For instance, the command 

Matchbox -E Nogrid — control="not bound match . rfc \ 
and approx match . rfc . reverse" 

enumerates one-rule non-grid systems [3] and produces output like this: 

2 : [("aba" , "aaabb")] : False 

value of ‘not bound match . rfc and approx match . rfc . reverse’ 
is False, because 

value of ‘not bound match . rfc’ 
is False, because 

value of ‘bound match . rfc’ 
is True, because 

R is match bounded by 0 

for R = [ ( "aba", "aaabb") 

, ( "a#", "aaabb") , ( "ab#", "aaabb")] 
and L = aaabb #~* 

with size of closure automaton (non-det , det) : ( 6, 6) 

Any number of atomic Matchbox proof searches can be combined, using the 
standard boolean connectives (not, and, or). Combinations are evaluated con- 
currently. The scheduling is done in such a way that each (interesting) sub- 
computation executes one step in turn. 

The evaluation uses shortcuts: as soon as one False occurs in a conjunction, 
the result is False and all its subcomputations are discarded; likewise for a True 
in an alternative. 

A special parallel connective par is available. In p par q, both proof attempts 
are started, and as soon as one of them returns a value, this is taken as the value 
of the connective, and the other attempt is discarded. 
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This will give a well-defined result only in case computations are compatible, 
i. e. if it cannot happen that one returns True, and the other would later return 
False. Typically, one would use par to combine attempts to prove the same 
thing (e. g., termination) via different methods, as in 

Matchbox aabb bbbaaa — control=" (not loop) par \ 

(bound match . rfc) par (bound match . rfc . reverse)" 

Note that not loop will return False as soon as it finds a loop (but it will never 
say True because a simple enumeration cannot prove absence of loops), and the 
bound match . rfc proof attempts will return True on success. 

The following transformation is also provided: on input R, Matchbox can 
try to prove termination of R by looking at all systems obtained by dropping 
common prefixes and suffixes. For instance, the command 

Matchbox ababaaa aaaababab — factors 

— control="bound match . rfc par bound match . rfc . reverse" 

will find the reverse-RFC-match-bound 1 for babaaa —f aaababab. Note that in 
this case, neither R nor reverse(i?) are RFC-match-bounded. 

3.7 Approximate Computations of Termination Certificates 

For a string rewriting system R over S, and a language L over E, a finite 
automaton A over if x N can be employed as a certificate of termination if 

— (start condition): lifto(T) C L{A), and 

~ (closure under match(i?)): for each rule (^ — > r) G match(ii), and for each 

redex path p ^ g in A, there is a corresponding reduct path p ^ q between 
the same pair of states. 

As proven by Zantema’s recent implementation in TORPA, such automata 
can be constructed directly (i. e., without using the decomposition theorem for 
some subset of match(i?)) from an automaton for lifto(T). Following the above 
definition, if a reduct path is not there, it has to be added. In general, this will 
require to add states as well, so the process is not guaranteed to stop (even if R 
is match-bounded). 

When approximating. Matchbox tries to re-use existing states as much as 
possible. It is looking for reduct decompositions r = xyz such that there are 
paths p ^ p' and q' ^ qin A, so that only the path p' q' has to be added. 

Matchbox adds a shortest non-empty such path p' ^ q' for which the follow- 
ing restriction holds: if at least one of a; or z is non-empty, then it is not allowed 

that there already is a path p' ^ q' u\ A with base(y) = base(y'). It is felt that 
the presence of such a path (that usually has lower height annotations) leads to 
non-termination of the algorithm. 

While Zantema’s approximation seems very well suited to RFC-match- 
bounds, the Matchbox approximation described here is also applicable to stan- 
dard match bounds, as examples show. For instance. 
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Matchbox aabb bbbaaa — control="approx match" — chunk=2 

computes a termination certificate. The option chunk=n instructs Matchbox to 
add at most n reduct paths in one approximation step. (If — chunk is missing, 
then all missing reduct paths are added in one step.) 

It is interesting to note that in the above example, a certificate automaton 
with 51 states is obtained, while the exact automaton for match(i?)*(T'g) has 
85 states. 



3.8 Configuration Parameters 

Matchbox understands many more options. The command Matchbox -h gives a 
complete list. 

To control the output, -T requests a computation trace (as plain text to 
stdout), and -D will write HTML output, including automata graphs that are 
rendered with a graph layout program, which can be set by — layout=p, where 
p G {dot ,neato}. 

To control the computation, the maximum number of iterations (for each 
subcomputation) can be set with -c n, and the maximum number of states 
of intermediate automata by -p n. Proof attempts will fail if they reach these 
bounds. 

4 Software Engineering Aspects 

Matchbox has been designed for flexibility and extendibility. For the user, it 
provides a rather expressive control language, and for the programmer, its source 
text (approx. 10 kLOC) is factorized into approx. 200 hierarchical modules. 

Polymorphic data types and higher order functions are used to support or- 
thogonal design and re-usability. In fact, half of the modules (those for input 
(parsing), (web) output, and finite automata) are being developed and used in 
another large project [12]. 

Matchbox relies on standard libraries and tools: the Parsec parser combinator 
library by Daan Leijen; the pretty printing library by John Hughes and Simon 
Peyton Jones; the Network. CGI library by Erik Meijer, Sven Panne and Andy 
Gill; the DrIFT generic programming tool by Noel Winstanley. Malcolm Wallace 
and John Meacham; and the GraphViz toolkit by Emden Gansner et. al. 

Matchbox is implemented in Haskell, the standard polymorphic higher order 
lazy functional programming language, using some extensions (existential types, 
multi parameter type classes, and functional dependencies). It can be compiled 
with ghc, the Glasgow Haskell Gompiler (version 6.0 or later), so it runs on any 
ghc-supported platform. (It was tested on GNU Linux and Solaris.) 

The Matchbox web page is at http : //theol . informatik.uni-leipzig.de/ 
matchbox/. It contains instructions for downloading, compiling, and using the 
program, and there is also a web interface to an online evaluation copy. 
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5 Conclusion: Related Work and Further Research 

Matchbox has been written to explore match-bounded string rewriting, and it is 
not intended to be a general-purpose termination prover. So a direct compari- 
son between such provers on the one hand, and Matchbox’s ability to generate 
termination proofs on the other, would miss the point. 

Match-bounded rewriting can be seen as a method that analyzes local overlap 
patterns of rule applications with utmost accuracy. Therefore it “wins” w.r.t. 
other methods that cannot use such information. On the other hand. Matchbox 
“loses” in many termination problems that can be handled by standard methods 
like path orders, interpretations, labellings, or dependency pairs. 

As match bounds seem orthogonal to standard methods, a termination prover 
that combines both should be rather more powerful - as TORPA [14] shows. 

We plan to extend Matchbox to term rewriting; mainly to compute sets of 
descendants of regular tree languages, but hopefully giving new ways of proving 
termination on the way. 
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Abstract. The tool TORPA (Termination of Rewriting Proved Auto- 
matically) can be used to prove termination of string rewriting systems 
(SRSs) fully automatically. The underlying techniques include semantic 
labelling, polynomial interpretations, recursive path order, the depen- 
dency pair method and match bounds of right hand sides of forward 
closures. 



1 Introduction 

Lots of techniques have been developed for proving termination of rewriting. 
In the last few years work in this area concentrates on proving termination 
automatically: the development of tools by which a rewrite system can be entered 
and by which a termination proof is generated fully automatically. 

The tool TORPA has been developed by the author. The present version only 
works on string rewriting. On the one hand this is a strong restriction compared 
to general term rewriting. On the other hand string rewriting is a natural and 
widely accepted paradigm with full computational power. 

There are many small SRSs from a wide variety of origins for which termi- 
nation is proved fully automatically by TORPA within a fraction of a second. 
For some of them all other techniques for (automatically) proving termination 
seem to fail. 

The main feature of TORPA is that an SRS is given as input and that 
TORPA generates a proof that this SRS is terminating. This proof is given in 
text . It is given in such a way that any human familiar with the basic techniques 
used in TORPA as they are described here, can read and check the proof. The 
five basic techniques used are 

~ polynomial interpretations ([10]), 

— recursive path order ([5]), 

— semantic labelling ([12]), 

— dependency pairs ([!]), and 

— RFC-match-bounds ([7]). 

Polynomial interpretations, recursive path order and RFC-match-bounds are di- 
rect techniques to prove termination, while semantic labelling and dependency 
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pairs are techniques for transforming an SRS to another one in such a way that 
termination of the original SRS can be concluded from (relative) termination of 
the transformed SRS. Semantic labelling is the most significant transformation 
used in TORPA. For very small SRSs, in particular single rules, RFC-match- 
bounds provide the most powerful technique. In this system description we de- 
scribe how the given five techniques are applied, and give some examples of 
proofs as they are generated by TORPA. For more examples and a full expo- 
sition of the theory including proofs of the theorems, but excluding the most 
recent part on RFC-match-bounds, we refer to [14]. 

Other tools like TTT ([9]), CiME ([4]) and AProVE ([6]) combine dependency 
pairs and path orders, too, and apply them much more involved than we do. The 
tool Termptation ([3]) is based on the semantic path order. They turn out to be 
the best tools for proving termination of term rewriting of the moment. However, 
applied to SRSs all of these tools are much weaker than TORPA. 

A completely different approach is RFC-match-boundedness as introduced 
in [7], and implemented in the tool Matchbox by Johannes Waldmann. How- 
ever, Matchbox only involves techniques related to match-boundedness, and for 
typically hard examples like aabb —>■ bbbaaa TORPA is much more efficient than 
the Matchbox version from before January 2004 when the authors of [7] were 
informed about the heuristics implemented in TORPA. 

TORPA is freely available in two versions: 

— A full executable version written in Delphi with a graphical user interface, 
including facilities for editing SRSs. This runs directly in any Windows en- 
vironment. 

— A plain version written in standard Pascal to be used on other platforms, or 
for running batches. 

Downloading is done from 

http : / / WWW . win . tue . nl/~hzantema/torpa . html 

where also some more detailed information is given. The present version is version 
1.2. In the earlier version 1.1 RFC-match-boundedness was not implemented. 

The structure of this paper is as follows. First we give preliminaries of string 
rewriting and relative termination. Then in five consecutive sections we discuss 
each of the basic techniques. In the final section we give conclusions and discuss 
further research. To distinguish text generated by TORPA from the text of the 
paper the text generated by TORPA is always given in typewriter font. 

2 Preliminaries 

A string rewrite system (SRS) over an alphabet A is a set i? C A+ x E*. 
Elements (l,r) G R are called rules and are written as I ^ r; I is called the left 
hand side (Ihs) and r is called the right hand side (rhs) of the rule. In TORPA 
format the arrow ^ is written by the two symbols ->. A string s G S* rewrites to 
a string t G S* with respect to an SRS R, written as s t if strings u,v G S* 
and a rule I ^ r G R exist such that s = ulv and t = urv. 
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An SRS R is called terminating (strongly normalizing, SN(i?)) if no infinite 
sequence ti, t 2 , ts, • ■ • exists such that U ti+i for all i = 1,2,3, — An SRS 
R is called terminating relative to an SRS S, written as SN(i?/S'), if no infinite 
sequence ti,t 2 ,t 3 , ■ ■ ■ exists such that 

- U ^Rus ti+i for all f = 1, 2, 3, . . ., and 

~ ti —^R ti+i for infinitely many values of i. 

The notation R/S is also used for the rewrite relation — • ^r ■ clearly 
SN (i?/S') coincides with termination of this rewrite relation. By definition 
SN(i?/S') and SN(i?/(S'\ R)) are equivalent. Therefore we will use the nota- 
tion SN(i?/S') only for R and S being disjoint. In writing an SRS i? U S' for 
which we want to prove SN(i?/S) we write the rules of i? by / ^ r and the 
rules of S by I r. In TORPA format the arrow is written by the three 
symbols ->=. The rules from R are called strict rules; the rules from S are called 
non-strict rules. Clearly SN(i?/0) and SN(i?) coincide. 

Our first theorem is very fruitful for stepwise proving (relative) termination. 

Theorem 1. Let R, S, R' and S' be SRSs for which 

- RU S = R' U S' and RnS= R'nS' = d), 

- SN(RVS') and SN((SnS')/(SnS')). 

Then SN(R/S). 

Theorem 1 is applied in TORPA as follows. In trying to prove SN (i?/S) it 
is tried to split up i? U S into two disjoint parts R' and S' for which R' yf 0 
and SN(R'/S'). If this succeeds then the proof obligation SN (i?/S) is weakened 
to SN((R n S')/{S n S')), i.e., all rules from R' are removed. This process is 
repeated as long as it is applicable. If after a number of steps i? n S' = 0 then 
SN((i? n S')/(S n S')) trivially holds and the desired proof has been given. 

Next we consider reversing strings. For a string s write s'®'' for its reverse. 
For an SRS R write i?'®'' = { Z'®'' ^ r'®'' \ l^r G R}. 

Lemma 1. Let R and S be disjoint SRSs. Then SN(R/S) if and only if 
SN(R'®7S''®''). 

Lemma 1 is strongly used in TORPA: if SN(R/S) has to be proved then all 
techniques are not only applied on R/S but also on R''®''/S''®''. 

3 Polynomial Interpretations 

The ideas of (polynomial) interpretations go back to [10,2]. First we give the 
underlying theory for doing this for string rewriting. 

Let A be a non-empty set and A be an alphabet. Let e denote the empty 
string in A*. If fa : A ^ A has been defined for every a G A then fs'.A^Ais 
defined for every s G A* inductively as follows: 



fe{x) = X, fas{x) = fa{fs{x)), for every x G A, a G S, s G U* . 
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Theorem 2. Let A he a non-empty set and let > be a well-founded order on A. 
Let fa'-A^Abe strictly monotone for every a € S, i.e., fa{x) > fa{y) for 
every x,y G A satisfying x > y. Let R and S be disjoint SRSs over S such that 
fi{x) > fr{x) for all X G A and I ^ r G R, and fi{x) > fr{x) for all x G A and 
l^rGS. ThenS\^{R/S). 

In the general case this approach is called monotone algebras ([11, 13]). In case 
A consists of all integers > N with the usual order for some number N, and the 
functions fa are polynomials this approach is called polynomial interpretations. 

In TORPA only three distinct polynomials are used: the identity, the succes- 
sor Ax • X -|- 1, and Ax • lOx. For every symbol a one of these three polynomials is 
chosen, and then it is checked whether using Theorem 2 gives rise to SN(i?/5') 
for some non-empty R, where R consists of the rules for which ‘>’ is obtained. 
If so, then by using Theorem 1 the proof obligation is weakened and the process 
is repeated until no rules remain, or only non-strict rules. As a first example 
consider the two rules ab ba, a ca, i.e., SN(i?/5') has to be proved where 

R consists of the rule ab ba and S consists of the rule a ca. Now TORPA 

yields: 

Choose polynomial interpretation: 

a: lambda x.lOx, b: lambda x.x+1, rest identity 

remove: ab -> ba 

Relatively terminating since no strict rules remain. 

Here for fa and ft respectively Ax • lOx and the successor are chosen. Since 
fab{x) = fa{fb{x)) = lO(x-kl) > lOx-kl = fb{fa{x)) = fba{x) for every x indeed 
the first rule may be removed due to Theorem 2, and relative termination may 
be concluded due to Theorem 1. 

Checking whether /;(x) > fr{x) or //(x) > fr{x) for all x for some rule 
I r is easily done due to our restriction to linear polynomials. However, for 
n distinct symbols there are 3” candidate interpretations, which can be too big. 
Therefore a selection is made: only choices are made for which at least n — 2 
symbols have the same interpretations. In this way the number of candidates 
is quadratic in n. Attempts to prove (relative) termination are done both for 
the given SRS and its reverse. For instance, for the single rule ab —>■ baa no 
polynomial interpretation is possible (not even an interpretation in N as is shown 
in [11]), but for its reverse TORPA easily finds one. TORPA applied on the three 
rules a fb, bd — > cdf, dc adfd yields 

Reverse every Ihs and rhs of the system and choose polynomial 
interpretation: f: identity, d: lambda x.x+1, rest lambda x.lOx 

remove: dc -> adfd 

Choose polynomial interpretation a: lambda x.x+1, rest identity 
remove: a -> fb 

Choose polynomial interpretation b: lambda x.x+1, rest identity 
remove : bd -> cdf 

Terminating since no rules remain. 
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4 Recursive Path Order 

Recursive path order is an old technique too; it was introduced by Dershowitz 
[5] . Restricted to string rewriting it means that for a fixed order > on the finite 
alphabet if, called the precedence, there is an order >rpo on S* called recursive 
path order. The main property of this order is that if I >rpo r for all rules I r 
of an SRS R, then R is terminating. This order >rpo has the following defining 
property: s >rpo t if and only if s can be written as s = as' for a G E, and either 

~ s' = t or s' >rpo t, or 

— t can be written as t = bt' for b G E, and either 

• a > b and s >rpo t' , or 

• a = b and s' >rpo t' ■ 

For further details we refer to [13]. To avoid branching in the search for a valid 
precedence in TORPA a slightly weaker version is used. On the other hand, the 
basic order is also used in combination with removing symbols and reversing. 
For details see [14]. As an example we give TORPA’s result on the single rule 
abc bacb: 

Terminating by recursive path order with precedence: a>b b>c 



5 Semantic Labelling 

The technique of semantic labelling was introduced in [12]. Here we restrict to 
the version for string rewriting in which every symbol is labelled by the value 
of its argument. For this version we present the theory for relative termination; 
TORPA only applies this for (quasi-)models containing only two elements. This 
approach grew out from [8]. 

Fix a non-empty set A and maps fa'A^A for all a G A for some alphabet 
E. Let fs for s G E* be defined as before. Let E be the alphabet consisting of 
the symbols for a G A and a: G A. The labelling function lab : A* x A — > A 
is defined inductively as follows: 

lab(e,a;)=e, lab(sa, a;) = lab(s, /a(x))oa;, for s G A*, a G A, a; G A. 

For an SRS R define lab(i?) = { lab(Z, x) lab(r, x) \ l^rGR,xGA}. 

Theorem 3. Let R and S be two disjoint SRSs over an alphabet A. Let > he 
a well-founded order on a non-empty set A. Let fa'A^Abe defined for all 
a G E such that 

~ fa{x) > fa{y) for all a G E,x,y G A satisfying x > y, and 
~ fi{x) > fr{x) for all I ^ r G RU S,x G A. 

Let Dec be the SRS over A consisting of the rules Ox — > Oy for all a G E,x,y G A 
satisfying x> y. Then SN{R/ S) if and only i/ SN(lab(i?)/(lab(S') U Dec)). 
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In case the relation > is empty the set A together with the functions fa for 
a G if is called a model for the SRS, otherwise it is called a quasi-model. It is 
called a model since then for every rule I — *■ r the interpretation /; of I is equal 
to the interpretation fr of r. Note that Dec = 0 in case of a model. On the single 
rule aa aba TORPA may yield: 

Apply labelling with the following interpretation in {0,1}: 
a: constant 0 
b: constant 1 

and label every symbol by the value of its argument. 

This interpretation is a model. 

Labelled system: 

aO aO -> al bO aO 
aO al -> al bO al 

Choose polynomial interpretation aO : lambda x.x+1, rest identity 

by which both rules are removed. In the notation of Theorem 3 this means that 
A = {0, 1}, fa(x) = 0 and fb{x) = I for x € A, R = {ao ^ aba}, S = lab(5) = 
Dec = 0. Since lab(aa,a;) = aoax and Iab(a6a,a:) = aib^Ox for a; = 0, 1, the 
labelled system lab(i?) is as indicated, for which indeed a termination proof is 
found. 

For A = {0, 1} for every symbol a there are four possibilities for fa'.A^A: 
fa = \x • X, fa = Xx • 0, fa = Xx • 1, fa = Xx'l — X. Up to renaming A = {0, 1} 
admits only two strict orders >: > = 0 and > = (1,0). For the first one (the 
model case) for all symbols a all four interpretations for fa are allowed, and 
the only restriction is that /; = fr for all rules I ^ r € RU S. For the second 
order (the quasi-model case) for all symbols a only the first three interpretations 
for fa are allowed, since fa = Xx-l — x does not satisfy the requirement that 
fa{x) > fa{y) for X > y. On the other hand, now the restriction on the rules is 
weaker: rather than fi{x) = fr{x) it is only required that fi{x) > fr{x) for all 
rules I ^ r G RLl S and x € A. 

In TORPA first the model approach is tried for random choices of the func- 
tions fa until the model requirements hold. Then polynomial interpretations and 
recursive path order are applied on the labelled systems. If this succeeds the de- 
sired proof is generated, otherwise the whole procedure is repeated. There is a 
basic maximal number of attempts to be done. The default of this number is 
100. Subsequent attempts to prove termination by TORPA may yield different 
solutions, due to the use of the random generator. 

In case this first series of attempts was not yet successful a similar procedure 
is applied for quasi-models. For both the model case and the quasi-model case 
everything is done twice while no solution is found: once for R/ S and once for 
i?'’ev/S"'ev. On the four rules a — > be, ab — > ba, dc da, ac — > ca TORPA yields: 

Reverse every Ihs and rhs of the system. 

Apply labelling with the following interpretation in {0,1}: 
a: identity c: identity 

b: constant 0 d: constant 1 

and label every symbol by the value of its argument. 

This is a quasi-model for 1 > 0. 
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and for the resulting labelled system a termination proof is given by polynomial 
interpretations. We do not know any other way to prove termination of this SRS. 

In case some attempt to prove termination of a labelled system fails, but 
applying polynomial interpretations succeeds in removing some rules, then in 
the default setting of TORPA it is checked whether after removing all labels 
a strict subset of the original SRS is obtained. If so, then the whole procedure 
starts again on this smaller SRS. In this way TORPA finds a termination proof 
for aba —>■ abba, bab — > baab by first finding a labelling by which one rule can be 
removed, and then find another labelling for the remaining rule. 

6 Dependency Pairs 

The technique of dependency pairs was introduced in [1] and is extremely useful 
for automatically proving termination of term rewriting. Here we only use a 
mild version of it, without explicitly doing argument filtering or dependency 
graph approximation. It turns out that often the same reduction of the problem 
caused by these more involved parts of the dependency pair technique is done 
by applying our versions of labelling and polynomial interpretations. 

For an SRS R over an alphabet A let Ejj be the set of defined symbols of R, 
i.e., the set of symbols occurring as the leftmost symbol of the left hand side of 
a rule in R. For every defined symbol a G Sd we introduce a fresh symbol a. 
TORPA follows the convention that if a is a lowercase symbol then its capital 
version is used as the notation for a. Write S = AU{a | a G Ad}. The SRS 
DP{R) over A is defined to consist of all rules of the shape aV br” for which 
aV = I and r = r'br” for some rule I ^ r in R and a,b G Sd- Rules of DP{R) 
are called dependeney pairs. Now the main theorem of dependency pairs reads 
as follows. 

Theorem 4. Let R he any SRS. Then SN(i?) if and only if SN{DP{R) / R) . 

It is used in TORPA as follows: if proving SN(i?) does not succeed by the 
earlier techniques, then the same techniques are applied for trying to prove 
SN{DP{R)/ R) or SN(AP(i?''®'')/i?''®''). In fact the desire for being able to do so 
was one of the main reasons to generalize the basic methods to relative termi- 
nation and design TORPA to cover relative termination. 

Applying TORPA on the two rules ab ^ c, c ^ ba yields: 

Dependency pair transformation: 
ab ->= c 
c ->= ba 
Ab -> C 
C -> A 

followed by a simple proof by polynomial interpretations. 

On the four rules bca ababc, b cc, cd abca, aa acba TORPA 
yields the following remarkable termination proof. First the third rule is re- 
moved by a polynomial interpretation. Then the remaining SRS is reversed and 




102 



Hans Zantema 



the dependency pair transformation is applied, yielding 10 rules. By polyno- 
mial interpretations three rules are removed, and on the remaining 7 rules a 
quasi-model labelling is found, giving a labelled SRS of 20 rules. By polynomial 
interpretations 10 of them are removed. By removing all labels it suffices to 
prove relative termination of the five rules acb ~^= cbaba, b cc, aa abca 
Aa Abca, Aa A. By again finding a quasi-model labelling, applying poly- 
nomial interpretations and removing labels one strict rule is removed. Next Ihs’s 
and rhs’s are reversed, and for the resulting SRS a third quasi-model labelling 
is found by which the remaining strict rule is removed, proving relative termi- 
nation and concluding the termination proof of the original SRS. The full proof 
was found completely automatically by TORPA in one or two seconds. 

7 RFC-Match-Bounds 

A recent very elegant and powerful approach for proving termination of string 
rewriting is given in [7]. The strongest version is proving match bounds of right 
hand sides of forward closures, shortly RFC-match-bounds. Here we present the 
main theorem as it is used in TORPA; for the proof and further details we refer 
to [7]. For an SRS R over an alphabet S we define the SRS over S U {#} 
by R^ = R U { ^1# ^ r \ I ^ r G R A I = hh A h e ^ I 2 }■ 
For an SRS R over an alphabet S we define the infinite SRS match (i?) over 
A X N to consist of all rules (oi, ni) • • • (op, Up) (61, mi) • • • {bq, iriq) for which 
oi • • • Op — > 61 • • • G i? and rrii = 1 + minj=i^,,,_p rij for alH = 1, . . . ,q. 

Theorem 5. Let R be an SRS and let N G ~N sueh that for all rhs’s b\- • - bq of 
R and all k G N and all reduetions 

(61, 0) • • • (5q, 0)(^, 0) ~*’match(fl#) (Cl, n-i) • • • (Cr, U-r) 

it holds that Ui < N for all i = 1, ... ,r. Then R is terminating. 

The minimal number N satisfying the condition in Theorem 5 is called the 
corresponding mateh bound. The way to verify the condition of Theorem 5 is 
to construct a certifieate, being a finite automaton M over the alphabet (A U 
{#}) X N, where A is the alphabet of R, satisfying: 

— for every rhs bi ■ ■ - bq of R and every fc G N the automaton M accepts 
(&l,0 )•••( 6„0)(#,0)^ and 

— M is closed under match(i?^), i.e., if M accepts v and v ^match(ij#) u then 
M accepts u too. 

The pair (a, fc) G (A U {#}) x N will shortly be written as Ofc, and the number 
k is called the label of this pair. It is easy to see that if a (finite) certificate M 
has been found then for N being the biggest label occurring in M the condition 
of Theorem 5 holds. Hence the only thing to be done for proving termination 
by this approach is finding a certificate. All of these observations are found in 
[7]; the only new contribution of TORPA is the much more powerful heuristic 
of searching for such a certificate. 
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As an example we consider the single rule aba — > abbba. None of the earlier 
techniques works, but TORPA yields the following certificate: 




Rather than giving such a picture TORPA yields a list of all transitions, contain- 
ing all information about the automaton. Indeed this automaton is a certificate: 
it accepts ao^oOo#o every k, and it is closed under match(i?^), hence proving 
termination. For instance, it accepts aob^ao^o which rewrites to aob^aib^ai by 
the rule ao#o ^ aibfai of match(i?^), also accepted by the automaton. 

TORPA tries to construct a certificate if the earlier techniques fail, both 
for the SRS and its reverse. This construction starts by an automaton exactly 
accepting (6i, 0) • • • {bq, 0)(#, 0)^ for every rhs b\- ■ - bq of i? and every fc G N. 
Then for every path in the automaton labelled by a Ihs of match (i?^) it is 
checked whether there exists a path between the same two nodes labelled by 
the corresponding rhs. If not, then such a path has to be constructed. Here the 
heuristic comes in. If a path from ni to U 2 has to be constructed labelled by the 
string au for a G (A U {#}) x N and u G ((A U {#}) x N)*, then it is checked 
whether a node n exists for which a path from n to U2 exists labelled by u. If so, 
then an edge from ni to n is added labelled by a, if not, then a completely fresh 
path from rii to ri2 is constructed labelled by au. This process is repeated until 
either no edges need to be added or overflow occurs. In the first case the resulting 
automaton is a certificate by construction, proving termination. Overflow occurs 
if the automaton contains 800 edges. 

In the above example nodes 7, 8, 9, 10 are added for making a path from 
6 to 2 labelled by aibfai. Then the edge from 10 to 7 is added for making a 
path from 10 to 2 labelled by ai6fai, and then nothing is to be added any more. 
This very simple heuristic was found after trying many other and more involved 
heuristics that turned out to be much less powerful. 

Termination of the single rule aabb — > bbbaaa is easily proved by this ap- 
proach, yielding exactly the same automaton as given in [7] having 42 nodes and 
match bound 4. However, there it was found after an extensive process on inter- 
mediate automata of thousands of nodes, while in our approach no intermediate 
automata exceeding the final result occurred. The main difference is that in [7] 
an exact automaton is computed while TORPA computes an approximation. 
However, for nearly all examples both automata coincide. 

8 Conclusions and Further Research 

For many small SRSs TORPA automatically finds a termination proof, but find- 
ing a human proof allowing any presently known technique seems to be a really 
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hard job. Usually, the generated proofs are not more than a few pages of text, 
including many details. For people familiar with the underlying theory verifying 
the generated proofs is always feasible. However, this may be very boring, and 
redundant since the proofs are correct by construction. 

Due to the extension in January 2004 by RFC-match-bounds, the present 
version 1.2 is much stronger than the earlier version 1.1 described in [14]. 

Most techniques used in TORPA also apply for term rewriting rather than 
string rewriting. Hence a natural follow up will be a version of TORPA capable 
of proving termination of term rewriting. 
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Abstract. The problem of selecting nodes in unranked trees is the most 
basic querying problem for XML. We propose stepwise tree automata for 
querying unranked trees. Stepwise tree automata can express the same 
monadic queries as monadic Datalog and monadic second-order logic. We 
prove this result by reduction to the ranked case, via a new systematic 
correspondence that relates unranked and ranked queries. 



1 Introduction 

Querying semi-structured documents is a base operation for information extrac- 
tion from the Web or semi-structured databases. It requires expressive query 
languages whose queries can be answered efficiently [8] . The most widely known 
querying language these days is the W3C standard XPath (see e.g. [10,9]). 

Semi-structured documents in XML or HTML form unranked trees whose nodes 
may have an unbounded list of children. The most basic querying problem is to 
select sets of nodes in unranked trees. Monadic queries approach this problem 
declaratively. They specify sets of nodes in a tree that can then be computed by 
a generic algorithm. 

We are interested in query languages that can describe all regular sets of 
nodes in trees. This property is satisfied by three classes of queries, those repre- 
sented by tree automata [16,12,3, 13,6], monadic second-order logic (MSO) [16, 
8] and monadic Datalog [1,7] over trees. Automata and Datalog queries can be 
answered in linear time. They are satisfactory in efficiency and expressiveness, 
in theory and practice [11]. 

Unranked trees are problematic in that they may be recursive in depth and 
breadth, in contrast to ranked trees. This additional level of recursion needs to 
be accounted for by recursive queries. In MSO and monadic Datalog, breadth 
recursion can be programmed from the next_sibling relation. Unfortunately, this 
relation cannot be expressed in WSwS, so that traditional results on ranked trees 
don’t carry over for free. Selection automata [6] reduce breadth recursion to 
depth recursion, by operating on binary encodings of unranked trees. Encodings 
are problematic in that they alter locality and path properties; furthermore the 
close relationship to unranked Datalog queries gets lost. Hedge automata [16, 
12, 3] express horizontal recursion by an extra recursion level in transition rules. 
This syntactic extension leads to numerous technical problems [13,7] that one 
might prefer to avoid. 
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Fig. 1. Tree extension 



In this paper, we propose stepwise tree automata for querying unranked trees. 
Stepwise tree automata are traditional tree automata that can either operate on 
unranked or ranked trees. They combine the advantages of selection and hedge 
automata. They model horizontal recursion by traversing siblings stepwise from 
the left to the right. 

The algebraic approach behind stepwise tree automata yields a new system- 
atic correspondence between queries for unranked and ranked trees. We elaborate 
this correspondence for monadic queries. We show that stepwise tree automata, 
monadic Datalog programs, and MSO can express the same monadic queries over 
unranked trees. We reduce this result to the case of ranked trees due to our new 
systematic correspondence. Specific proofs for unranked queries are not needed 
in contrast to [13,7]. 

2 The Algebras of Unranked and Ranked Trees 

An unranked signature A is a set of symbol ranged over by a, b. An ordered 
unranked tree or u-tree t over S satisfies the following abstract syntax: 

t ::= a{t\, . . . ,tn) where n > 0. 

Unordered unranked trees were investigated in [14,15,18]. We identify an un- 
ranked tree a() with the symbol a. We write tree“ for the set of unranked trees. 
The extension operator : tree" x tree" tree" for unranked trees is depicted 
in Fig. 1. The extended tree is obtained from t by adjoining t' as next 

sibling of the last child of t: 

a(ti, . . . = a{ti, . . .,tn,t’) 

Note that a(ti,...,t„) = with parenthesis set from left to 

right. Tree extension @" is neither associative nor commutative. 

Let = AU{@} be the ranked signature of function symbols with constants 
in S and a single binary function symbol @. Ranked trees over S@ are ground 
terms over S@, i.e., binary trees that satisfy the grammar: 

t ::= a\ t\@t 2 

We omit parenthesis as in the A-calculus; a@b@{c@b@a) for instance is {a@b)@ 
{{c@b)@a). We write tree" for the set of ranked trees over Ranked trees can 



Querying Unranked Trees with Stepwise Tree Automata 107 



c 



/ \ 

b f 

l\ 

d e 



Ctree 






a 



@ 




/ 




s 



d 



a 

.bC ''-L 



c f 

_L d _L ± 

-L'' ''e 

/ N 

_L _L 
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be constructed by the binary operator : tree’' x tree’' ^ tree’' which satisfies 
for all ranked trees 

= ti@t2 

Unranked trees correspond precisely to ranked constructions with respect to the 
function ctree '■ tree“ tree’' which satisfies for all unranked trees ti,t 2 and 
symbols a G S: 

^ 2 ) ~ ^tree{b2) and Ctree(^^) — ^ 

The idea of this binary construction is known from Currying. An unranked 
tree describes an application of a function to a list of arguments. Its binary 
construction represents the Curried version of this function, receiving arguments 
one by one. We therefore write tree extension as function application 

The set tree” of unranked trees over S with the extension operation is a 
algebra, as well as the set tree’' of ranked trees over with the operation 



Proposition 1. The construction function ctree ■ tree” — > tree’' is an isomor- 
phism between S@-algebras. 

Ranked and unranked trees thus have the same algebraic properties and the 
same finite automata [17,5,14]. 

Ranked constructions are binary representations of unranked trees. Previous 
approaches towards querying unranked trees rely on a different binary represen- 
tation [8,6], which encodes first-child and next-sibling relations. An example is 
given in Fig. 2b. The new binary construction, however, permits to carry over 
traditional results from ranked to unranked trees more systematically. 

3 Stepwise Tree Automata 

Stepwise tree automata A over signature S are traditional tree automata ([4]) 
over the signature They consist of a finite set states(A) of states, a set 
final(A) C states(A) of final states, and a finite set of rules(A) of transition rules 
of two forms, where a G S and q, qi,q 2 G states(A): 
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evalj(a) = {g | a — *■ g G rules(^)} 

eval^(li@“t 2 ) = {q \ qi e evalj(li), 52 € eval^(t 2 ), gi@<?2 ^ q € mles(yl)} 
Fig. 3. Ranked and unranked evaluation 



Stepwise tree automata can evaluate unranked and ranked trees, i.e. a-trees 
where a G {u,r}. The a-evaluator of A is the function eval^ : tree“ ^ 
defined in Fig. 3. Both evaluators only differ in the interpretation of the sym- 
bol 

Lemma 1. eval^(t) = eval^(ctree(t)) for all unranked trees t. 

Stepwise tree automata A recognize all a-trees t that can be evaluated into 
a final state, i.e., eval^(t) n final(yl) ^ 0. The a-language L°"{A) consists of all 
a-trees recognized by A. 

Proposition 2. A stepwise tree automaton accepts an unranked tree if and only 
if it accepts its ranked construction, i.e., for all A: 

L-{A)=ci,l{L^{A)) 

Proof. By Lemma 1 all unranked tree t satisfy: t G L'^{A) iff finals neval^(t) ^ 0 

iff finaU neval^(ct„e(i)) yf 0 iff Ctreeft) G L^{A). 

As a consequence, stepwise tree automata inherit numerous properties from 
traditional tree automata, even if interpreted over unranked trees. Recognizable 
unranked tree languages are closed under intersection, union, and complemen- 
tation. Emptiness can be checked in linear time, and membership t G L^{A) in 
linear time 0{\t\ * |A|). 

Example. We define a stepwise tree automaton A with signature S = {a, b} 
that recognizes all unranked trees with at least one a-labeled leaf. 

Automaton A is illustrated to the right. It has 
three states 0,1,2 two of which are final: 1, 2. A suc- 
cessful run of A on an unranked tree assigns state 1 in 
a non deterministic way to a unique a-leaf and labels 
by 2 all edges visited afterwards. All other nodes and 
edges are labeled by 0. 

a. An a-node can be the selected a-leaf: a ^ 1. 

b. Any node can be assigned to state 0: a — > 0, 6 — *■ 0, 0@0 ^ 0. 

c. The edge pointing to the selected a-leaf may go into state 2: 0@1 ^ 2. 

d. All edges visited later on may go into state 2, too: 2@0 ^ 2, 0@2 ^ 2. 

In Fig. 4, we show the unique successful run of A on the unranked tree 
a{b,a{a,b)) and on its construction a@b@{a@a@b). Both runs bisimulate each 
other. They evaluate the respective tree into the final state 2. 




Querying Unranked Trees with Stepwise Tree Automata 109 




Fig. 5. Correspondence between edges and application nodes 



4 Monadic Queries 

Queries on unranked trees should correspond precisely to their counterparts 
on ranked constructions. This requires a precise correspondence between the 
domains of unranked trees and their ranked constructions. The domain of a 
ranked tree t is the set of its nodes: 

dom’'(ti@’'t 2 ) = dom’'(ti) l±ldom''(t 2 ) W {root} 
dom’'(a) = (root) 

Disjoint union A\ii B can be implemented by (IjxA U { 2 }xB. The ranked 
domain of a@(a@a) is then implemented by: 

{root, (1, root), (2, root), (2, (1, root)), (2, (2, root))} 

As usual in mathematics, we will abstract from this implementation and talk 
about disjoint unions as if they were simple unions. 

The nodes of unranked trees correspond to leaves in ranked constructions. 
But what do application nodes in construction trees correspond to? The example 
in Fig. 5 illustrates that they correspond precisely to edges of unranked trees. 
Every edge was added by some application step, and vice versa, every application 
step adds some edge. We therefore define the domain of an unranked tree as the 
union of its nodes and edges. 

dom“(ti@“t 2 ) = dom“(ti) l±ldom“(t 2 ) W{last_edge} 
dom“(a) = {root} 

The last_edge of links the root of to the root of t2- Note that all nodes 

of ti@“t2 either belong to ti or t2; the root of fi@“t2 is that of ti. 
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{ root if 7T = last_edge 

Cdom{tl){'w) if 7T e dom“(fi) 
Cdomit2){'ir) if 7T e dom“(f2) 



Fig. 6. Definition of the correspondence on domains Cdom 



The correspondence Cdom(t) for an unranked tree f is a function between the 
domains of t and its ranked construction defined in Fig. 6 by recursion over the 
construction of t: 

Cdom{t) ■■ dom"(t) ^ dom"'(ctree(t)) 

Definition 1. A monadic query is a function q that maps trees to subsets of 
their domain. This definition applies to ranked and unranked trees, i.e., for both 
a € {u,r'\. A monadic a-query q satisfies for all t G tree“.' 

q{t) C dom“(t) 

More general n-ary queries map to n-tuples of elements of the domain [2]. 
Monadic queries q on unranked trees correspond to ranked monadic queries 
Cqueryid) such that for all t G tree’': 

Cqueryidfif) = Crfom (0 ('?('-tree (^))) 

All previous query notions for unranked trees [8,6] only talk about nodes. Our 
extension with edges, however, is necessary to keep the symmetry to ranked 
queries, the reason for the simplicity or our approach. 



5 Automata Queries 

In the remainder of the paper, we will discuss regular monadic queries. These can 
be defined by tree automata, monadic second-order logic, and monadic Datalog. 
Here, we start with tree automata. 

We call a ranked monadic query q is regular if all qit) are regular unary 
relations where t G tree’’. Let us recall the definition of regular node relations 
in ranked trees [17]. Given a ranked tree t over the signature A x Bool, and 
i G {1,2}, let proj’(t) be the ranked tree obtained by projecting all labels in t 
to their z’th component. For a monadic query q and ranked tree t let zip(t, q) be 
the ranked tree over the extended signature S x Bool with proJ^(zip(t, g)) = t 
and proJ^(zip(t, g)) = q. 

Definition 2. A monadic query q for ranked trees is regular if the set |zip(t, q) \ 
t G tree’’} can be recognized by a tree automaton. A monadic query q for unranked 
trees is regular if c query (q) is. 

This traditional definition of regular monadic queries is simple for ranked 
trees but has drawbacks otherwise. First, it is not obvious how to compute such 
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»'|dom“(ti) € runsX(ti) r|dom“(ti) € runsl(t2) 
a r(root) £ rules(A) r(head“(ti))@r(head“(t2)) ^ r(head(ti@“t2)) £ rules(A) 
r £ runsj(a) r £ runsj(ti@“t2) 

Fig. 7. Runs runs^(t) of stepwise tree automata A on Q-trees t 



queries efficiently, second, it is not obvious how to express them in monadic 
Datalog, and third, the definition of regular unranked queries depends on the 
correspondence to ranked queries. 

Run-based queries [15, 6] with stepwise tree automata resolve these problems. 
We define them parametically for ranked and unranked trees. Runs of stepwise 
tree automaton on a-trees t associate states to all elements of the domain of 
t. Sequences of children in unranked trees are visited stepwise from the left to 
the right, while annotating edges to the children by states. See Fig. 4 for an 
example. More formally, let the head of a ranked tree be its root; the head of 
a non-constant unranked tree is last_edge, and the head of a constant unranked 
tree the root: 

head^(t) = root, head“(ti@“t2) = last_edge, head“(a) = root. 

A run of a tree automaton A on an a-tree t is a function labeling elements of 
the domain of t by states of A: 

r : dom“(t) ^ states(A) 

such that all transitions are licensed by rules of A. If t = then the 

restrictions of r to the domains of ti and t 2 must be runs and the annotation of 
the head of t must be justified. Furthermore, annotations of constants must be 
licensed. These conditions are captured by the inference rules in Fig. 7. 

Lemma 2. Let A be a stepwise tree automaton and t an a-tree, then: 
eval'^(t) = {r(head“(t)) | r G runs[4(t)} 

Proof. By induction on the construction of unranked trees. If t = a then 
eval“(a) = {g | a — > g G rules(A)} = {r(root) | r G runs[ 4 (a)}. For t = ti@°‘t 2 
we have eval“(t) = {q \ £ eval[J(ti), qi@q 2 ^ q & rules(A)} which is equal 

to {q\ri £ runs[^(ti), ri(head“(ti))@r 2 (head“(ti)) ^ q £ rules(A)} by induction 
hypothesis. The definition of runs in Fig. 7 yields {r(head“(t)) | r G runs^Kt)}. 

A run r of an automaton A on an a-tree t is successful if r(head“(t)) G 
final(A). Let succ_runs[|(t) be the set of successful runs of A on t G tree“. 

Definition 3 . A pair of a tree automaton A and a set Q C states(A) defines a 
monadic query which selects all elements from the domain of a tree t that are 
labeled by a state in Q in some successful run of A on t: 

quer)/\ Q{t) = {tt G dom“(t) | r £ succ_runs[4(t), r( 7 r) G Q} 
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Selection automata [6] similarly express queries for unranked trees, but rely 
on universal quantification over successful runs, and use a binary encoding of 
unranked trees in contrast to the definition above. 

Example. Reconsider the automaton A from Section 3: query^ defines 
the set of all a-leaves in unranked trees. Note that no automaton query with 
a bottom-up deterministic automaton can compute the same query, since it 
couldn’t distinguish different a-nodes. 

Proposition 3. A monadic query on ranked trees is regular if and only if it is 
equal to some quer/"^ q. 

The proof relies on two standard automata transformations. The idea of 
the transformation from regular to run based queries query^ g is memorize the 
Boolean values in zip(t, q) in automata states. In order to generalize Proposition 3 
to unranked trees, we establish the correspondence between unranked and ranked 
run-based queries. 

Theorem 1. Queries with stepwise tree automata on ranked and unranked trees 
correspond: 

= Cquery{query\Q) 

Proof. We first note that runs of stepwise automata on unranked trees and 
ranked constructions correspond. For all t G tree’', we can prove: 

ruv\s\{cf^l^{t)) = {rocdom{t) \ r G runs^(t)} 

The theorem follows from straightforward calculations. For all t G tree’’: 

Cquery (query^ g)(t) = Cdom(t)(query^ g(c 

tree m 

= {tt I r e runs^(ct^gg(f)), r{cdom.{t)~^{T^)) G Q} 

= {tt I r' G runs^(t). r'(cdom(t)(cdom(t)“H^))) ^ Q} 

= query^g(t) □ 

6 Monadic Second Order Logic 

We next represent regular monadic queries in ranked and unranked trees in 
monadic second-order logic (MSO). 

The domain of the logical structure induced by an a-tree t is dom“(t). The 
signature i?’’ for structures of ranked trees contains the foilwing relation symbols: 

i?’’ = {childi, child2, root, leaf} U {labeU | a G FI®} 

The binary relations childi and child2 relate nodes to their first resp. second 
child. Unary relations labels hold for all nodes labeled hy a G S. Furthermore, 
we permit the unary relations root and leaf. 

Logical structures for unranked trees have the following signature: 

= {first_edge, next_edge, target, root, leaf} U {labelo | a G U®} 
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The binary relation first_edge holds between a node and the edge to its first child. 
The next_edge relation links an edge with target tt to the edge whose target is 
the next sibling of tt. The target relation holds between an edge and its target 
node. 

Let X, y, z range over an infinite set Vars of node variables and p, q over an 
infinite set Preds of monadic predicates. The logics MSO“ have the following 
formulas: 

(j) ::= Bn(xi,. ..,Xn) I p(x) \ (j) A (f)' \ ^4> \ 3x4> \ 3pcj) 

where G is a predicate with fixed tree interpretation of arity n. Note 
that the relations root and leaf could be expressed by the remaining relations in 
MSO“. We add them anyway, as they will be needed in monadic Datalog later 
on. 

Let (/) be an MSO“-formula, t an a-tree, and a an assignment of variables 
into the domain of t and of predicates into the powerset of this domain. We write 
t, O’ ^MSO“ (j) a 4> becomes true in t under a. Every formula 4>{x) with a single 
variable x defines monadic query: 

query^(^)(t) = {cr(a:) | t,a ^msO“ </<} 

Theorem 2. [Thatcher & Wright [17]] Monadic queries expressed in monadic 
second order logic over ranked trees MSO*^ are regular. 

Theorem 3. Ranked and unranked monadic queries expressed in monadic 
second-order logic correspond, and are thus regular; eorresponding queries can 
he computed in linear time: 

I </> e MSO’'} = {cquery{queryl,^^)) \ ([' G MSO“} 

Fig. 8 presents forth and back translations between MSO“ and MSO'^. We 
have to show for every (j> G MSO“ that (query^^^^) = queryj^^^^j^, and the 

analoguous property for the back translation. We proceed by structural induction 
over formulas. The base cases contains the difficulty, the induction step being 
straightforward. 

We sketch the proof for formula first_edge(a;, y) to illustrate the principles. 
Consider an u-tree t and a variable assignment a under which first_edge(x, y) 
becomes true. There exists a M-tree to = t\@t 2 involved in the construction of 
t such that a{x) is the root of ti and a{y) is the edge from ti to t^. Since this 
is the first edge, t\ is a constant. Therefore, in the corresponding ranked tree, 
the node Cdom(o'(x)) is a leaf and we have childi(cdom(o'(y), Cdom(o'(x))). The 
converse is proved in a similar way. 

The case of target(a:, y) is more tedious as it relies on the recursive lar(a:, y) 
formula, stating that x is a leaf, whose last ancestor to the right is y. This means 
that y denotes the up most node with childj(?/, a;). A model of target(a:, y) and 
its translation |^(x)]r in Fig. 10. 
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Auxiliary predicates: 

ar'{x,p) =def p{x) A Vi/V 2 ;((childi(i/, z) A p{z)) p{y)) 

ar{x,p) =def ar'(a;,p) A Vp'(ar'(a:,p') ^ subset(p,p')) 

\ar{x,y) =def leaf(a;) A 3p.p{y) A ar(a:,p) A (root(y) V 3y' cWM^iy' ,y)) 



Logical connectives 



Node relations 



\3X lj)\r =def 3X Mr 
PP V'lr =def 3p Pfr 

pA V’lr =def Plr A Plr 

=def ^Plr 
p(a;)l|r =def p{x) 



prst_edge(x,2/)l|r =def childi(i/,a;) A leaf (a;) 
Jnext_edge(a;,2/)]|r =def 3z (childi (y, x) A childi (a;, a)) 
parget(a;,2/)l|r =def 3z (child 2 (a;, 2 ) A \ar{y,z)) 
|[labela(a;)]r =def labela(a;) (a G E) 
|[last_edge(a;,2/)l|r =def 32 (lar(a:, j/) A childi (y, 2 )) 
poot(a:)l|r =def 3y (lar(a;, y) A root(y)) 
|[leaf(a;)]|r =def 3y child 2 (y, a;) A leaf (a;) 



Fig. 8. Unranked into ranked MSO 



pa; i/iP =def 3a; p]|„ 

Pp V'P =def 3p pp 
p A V''P =def pp A P'P 
p'i/'p =def ^Pp 
p(a;)P =def p{x) 



phildi(a;,p)P =def first_edge(p, a;) V next_edge(i/, a;) 
phild 2 (a;,p)l|„ =def (target(a;, p) A leaf(p)) 

V32 (target(a;, 2 ) A last_edge( 2 , t/)) 
pbela(a;)P =def labela(a;) (a G E) 

|[root(a;)P =def (leaf(a;) A root(a;)) 

V32 (root( 2 ) A last_edge(a;, 2 )) 
paf(a;)P =def root(a;) V 32 target( 2 , x) 



Fig. 9. Ranked into unranked MSO 



7 Monadic Datalog 

We next express regular monadic queries in Monadic Datalog, a logic program- 
ming language, and discuss the expressive power compared to automata and 
MSO queries, for ranked and unranked trees. 

We consider monadic Datalog in trees without negation. The languages 
Datalog“ have the same signatures as MSO“. The programs of Datalog“ are 
logic program without function symbols, predefined n-ary predicates in i?“, and 
free monadic predicates p,q G Preds. More precisely, a program P G Datalog“ is 
a finite set of rules of the form: 



p{x) Body 

where Body is a sequence of goals with n-ary predicates Bn G i?“: 

Body ::= B„{xi, . . . ,Xn) \ p{x) \ Body, Body 

Every program of Datalog" can be seen as a formula of MSO“; sets of clauses 
are conjunctions, clauses p{x) Body are universally quantified implications 
Wars. p{x) ^ Body, and bodies Body conjunctions of goals. 
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Fig. 10. A solution of target(*, y) on the left; a solution of its ranked translation 
|[target(a;, j/)]|i. = (child 2 (cc, 2 ) A \ar{z,y)) on the right 



We interpret programs in Datalog“ in the least fixed point semantics over 
the structures of MS0“. For every program P G Datalog“, predicate p G Preds, 
and t G tree“ let Tp^{p) be the least solution of P over the tree structure of the 
a-tree t for predicate p. This yields a notion of monadic queries: 

query^(p)(t) = 

Least fixed points can be expressed in MSO. As a consequence, every query 
in Datalog“ can be expressed in linear time in MS0“. This shows that ranked 
queries in Datalog^ are regular (Theorem 2). 

Ranked monadic run-based automata queries can always be expressed in 
ranked monadic Datalog; the reduction is in linear time. The resulting Datalog 
program models the two phases of the linear time algorithm for answering au- 
tomata queries: the first bottom up phase computes all states of all nodes seen 
in all runs of the automaton, and a top down phase selects all nodes labeled by 
selection states in successful runs. 

Theorem 4. Ranked and unranked monadic queries expressed in monadic Dat- 
alog correspond, and are thus regular: 

{qfoerj/p(p) | P G Datalog’'} = {cguery iqueryp,^^^) \ P' G Datalog"} 

Corresponding unranked queries can be computed from ranked queries in linear 
time; the converse is not true. 

It suffices to encode ranked Datalog queries into corresponding unranked 
queries in linear time. The translation basically refines the encoding from MSO" 
into MSO": roughly, a rule p{x) Body is translated into p{x) \Body\u- 
Conjunctions in \Body\u can be replaced by commas, existential quantifications 
can be ommited, i.e., replaced by implicit universal quantification in rules. Dis- 
junctions as in the definitions of |childi(x, y)]„, |child 2 (a:, ?/)]„, and |root(a:)]„ 
can expressed by multiple rules. Such a rewriting, however, spoils linear time. 
We can circumvent this problem following Gottlob and Koch [7]: we normalise 
programs of Datalog" into tree marking normal form (TMNF) in linear time 
before translation. TMNF programs have of forms: 

p{x) Bi{x). p{x) q{y),B 2 {y,x). 

p{x) po{x),pi{x). p{x) q{y),B 2 {x,y). 
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Unranked 


Ranked 


Automata 


query]^_Q ^ ^ 

y 1 


query 


Datalog 


query“(^) 

\ i 


1 

queryp,(p) 

i 


MSO 


query;(,,) ^ ^ 


query;, 



Fig. 11. Summary of reductions. Solid lines are in linear time, double lines are non 
elementary. Black lines are proved, red lines induced 

t = a{ti, VI < i < n : r[nodes(ti) £ ruriHiU) 

a{L) — > r(root(t)) £ rules(/J) r(root(ti)) . . . r(root(t„)) G L 

r € runjf(t) 

Fig. 12. Runs of Hedge Automata 



where Bn is a n-ary predicate of i?’'. On ranked TMNF programs the reduction 
|_]„ can clearly be done in linear time. 

The inverse translation can be composed from our translations so far, which 
are summarized in Fig. 11. We first reduce unranked Datalog queries to MSO“, 
then to MSO’', move to ranked automata queries and then to ranked Datalog 
queries. The overall reduction has nonelementary complexity. 

Note that we cannot specialize the translation |_]r from MSO“ to MSO'^ 
into a translation from Datalog“ to Datalog*^. The problem is that we cannot 
express the auxilary binary predicate lar(a;,y). Its definition is recursive, but 
only monadic recursive predicates can be defined in monadic Datalog. 

Corollary 1. Stepwise tree automata, monadic Datalog, and MSO capture the 
class of regular monadic queries over unranked trees. 

This is a corollary of our correspondences between ranked and unranked 
queries and traditional result on ranked trees. All unranked automata queries 
query^ q can be expressed in linear time in Datalog”, by indirection over ranked 
automata queries and Datalog’’. Unranked queries in MSO“ can be expressed by 
unranked automata queries by reduction to the ranked case. 

8 Hedge Automata 

We finally show how to express monadic queries with hedge automata [16,3] in 
linear time with stepwise tree automata. A hedge automaton H over B consists 
of a set states(iJ) of states, a set final(Ft) of final states, and set set of transition 
rules of the form a{L) q where L is a regular set of words over states. 

Runs of hedge automata H on unranked trees t are functions r : nodes(t) — > 
states(iF) that satisfy the inference rule in Fig 12. A hedge automaton H and a 
set of states Q C states(i7) defines a monadic query for unranked trees: 

query^ g(t) = {tt G nodes(t) | r G succ_runs//(t), r(7r) G Q} 
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states(step(JT)) = states(H) 
rules(step(i7)) = Uaei:. 9 estates(«) rules(77a.9) 

VJ {p q\p £ final(jTa,q), q € states(i7), a € S} 
U {a — » p I p € init(jTa,q), g G states(_H')} 
final(step(7/)) = final(i7) 

Fig. 13. Hedge automata into stepwise tree automata 



For translating hedge automata into stepwise tree automata, we need to repre- 
sent all regular language L in transition rules explicitly. We use a sequence of 
finite word automata {Ha.q)a£S,q£states(H) over the alphabet states(Ff) to do so. 

Proposition 4. Queries by hedge automata can he translated in linear time to 
queries by stepwise tree automata. 

Proof. Given an hedge automaton H we define a stepwise tree automaton step(iJ) 
by unifying all subautomata i?a,g into a single finite automaton. We then add all 
states of states(A) to this automaton, and link them to all final states p of Ha,q 
through e-transitions p q. We add rules a ^ q' for all initial states q' of some 
Ha,q. The final states of step(i7) are those in final(i7), not those in final(i7a g). 
The complete construction is detailed in Fig. 13. It remains to show that every 
run of H can be simulated by a run of step(i7). □ 
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Abstract. Verifying the safety property of a transition system given by 
a term rewriting system is an undecidable problem. In this paper, we give 
an abstraction for the problem which is automatically generated from a 
given TRS by using abstract interpretation. Then we show that there are 
some cases in which the problem can be decided. Also we show a new 
decidable subclass of term rewriting systems which effectively preserves 
recognizability. 



1 Introduction 

Term rewriting systems (TRSs) can be used for modelling infinite state transition 
systems, e.g. cryptographic protocols, and some verification techniques for TRSs 
are proposed. Because of the universal computational power of TRSs, even the 
safety property for a TRS is undecidable. There are two approaches: 

1. to find a decidable sufficient condition [12, 13] and 

2. to give an abstraction [5,8]. 

If a given TRS satisfies the condition of the first approach, then we can automat- 
ically verify, for example, safety property. However, some simple TRSs do not 
satisfy any of the conditions. On the other hand, in order to give an abstraction, 
one have to analyse an instance of the problem and give a special abstraction. 
In this paper, we give an abstraction for the problem which is automatically 
generated by using abstract interpretation[4:,9]. 

Abstract interpretation is a typical method to give an abstraction for data 
domains of programs. We give an abstraction for the set of all terms by giving 
an equational theory. The state space (the set of all terms) is abstracted to 
equivalence classes induced by a given equational theory. A similar idea can be 
found in [7]. The purpose of this study is to give a construction of an appropriate 
equational theory which defines an abstract domain for the state space. 

We also propose a new decidable sufficient condition for a verification problem 
to be decidable. The decidable class is given by the condition that no abstraction 
is needed in our method. 

* This work is done as a part of CREST project of Japan Science and Technology 
Agency. 
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We use the usual notions of a (ground, linear) term, a position, a context, a 
TRS, a rewrite relation, a (recognizable) tree language, a tree automaton, etc. See 
[1, 3] for details. In the following, we only deal with linear TRSs. For a signature 
S and a set of variables V, T{S,V) denotes the set of all terms constructed 
from S and V and T{S) denotes the set of all ground terms constructed from 
S. In this paper, we use f,g,h,... as function symbols, x,y,z,... as variables 
and a,b,c,... as constant symbols. For a term t, let Vos(t) be the set of all 
positions of t and Vosv{t) = {p & Vos{t) \ t/p & V} where t/p is the subterm 
of t at p. A TRS constructed from terms in T(A, V) will be said to be a TRS 
on T(A, V). For a TRS TZ, denotes the rewrite relation induced by TZ and 
its reflexive and transitive closure is denoted by For a tree language L\ 
and a TRS TZ, the image of Lx by the relation is denoted by (^^)(Ti), 
i.e. (— >^)(Ti) = {t I s t, s G Li}. A tree automaton (TA) is a Ttuple 
{LI, Q, Qf,^) where 17 is a signature, Q is a set of states, Qf is a set of flnal 
states and A is a set of transition rules. Transition rules are given as rewrite 
rules and the transition relation is defined as the rewrite relation of transition 
rules as in [3]. For a TA A, let C{A) denote the accepting language of A. 

2 Verification Problem 

In this section, we define the verification problem which we deal with throughout 
this paper. The problem is defined as follows. 

Problem 1. For given a signature E, a set V of variables, a TRS TZ on T{E,V) 
and two recognizable tree languages L\,L 2 C T(A) , decide whether or not 

Hy(Ai) c L2. □ 

Usually each recognizable tree language is given by a TA. Problem 1 can be 
regarded as a verification problem as follows. For a TRS TZ on T(A, V), we 
can consider a transition system whose state space is T(I7) and the transition 
relation is defined by the rewrite relation by TZ. When we regard terms (states) 
in Lx as the initial states, (^^)(Ti) means the set of all reachable states of the 
transition system. Once a safety property or an invariant is given by the set L^, 
we can see that the transition system is safe if and only if (^^)(Li) C L 2 . The 
situation mentioned above is shown in Fig. 1. 

Problem 1 is undecidable; this fact can easily be seen from the fact that the 
reachability problem of a TRS is undecidable in general. 

3 Abstract Interpretation 

Abstract interpretation [4, 9] can deal with the following problem. 

Problem 2. For given an ordered set (O', <) and elements ci,C 2 G C, decide 
Cl < C 2 or not. □ 

When deciding ci < C 2 in the domain C is difficult or undecidable, abstract 
interpretation can be used as follows. 
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1 . Find another ordered set {A, <a) and mappings a: C ^ A and 7: A ^ C 
satisfying the following condition. 

Vc G CVa € A. c< 7(a) iff a(c) <yi a. ( 1 ) 

The mappings a and 7 satisfying the condition above is called Galois con- 
nection. In this situation, (C, <) is often called the concrete domain and 
{A^<a) the abstract domain. 

2 . Find oi G A satisfying the following condition. 

a{c\) < a\ and 7(01) < C2. (2) 

From the condition ( 1 ), if there is such oi, we can conclude that ci < C2. 

Since the original problem Problem 2 has been divided into two problems as 
( 2 ), one may think that the problem becomes more difficult. But in some special 
cases as mentioned below, we can easily find ai satisfying ( 2 ). For functions f 
and g, let lfp{f) denote the least fixed point of f and fog denote the composition 
of f and g. If Cl = lfp{f) for a monotone function f: C ^ C, let g: A — > A 
be a function defined as g = a o f o 7. If lfp{g) G A exists, then we can see 
a{lfp{f)) <.4 lfp{g) from the condition (2). 

4 Abstraction for Tree Languages 

In this section we define an abstraction for verification problems by adapting 
Problem 1 to Problem 2 . First, let (C, <) be C), the set of all tree lan- 

guages and the inclusion order, ci and C2 be (^^)(Li) and L2, respectively. Then 
Problem 1 can be seen as an instance of Problem 2 . In the following, we assume 
that E, V, TZ and L\,L2 as in Problem 1 are given. Let f^: 2 ^(^^ ^ be 

a function defined as f-iziL) = {f I t, s G L} U Li, then we obtain that 

lfp{f) is the greatest lower bound of the sequence (f^(0))n with n > 0 and thus 
= ( ^^)(Lj). We define an abstract domain and mappings a and 7 to 
satisfy that 



l{^fp{E,n)) is recognizable 



( 3 ) 




122 



Toshinori Takai 



if lfp{gn) is obtained where gn = a o ° 1- If an abstraction satisfies the 
condition (3), then we can check 

l{lfp{gn)) C Lz (4) 

or not and if (4) holds, then we can see that C L2. 

The abstraction used in this paper is defined by an equational theory. A 
similar idea can be found in [7]. 

Definition 1. For a set £ of equations, let Ag he Ag = and rj : T (A) ^ 

T{E)/£ he t ^ [t]~j for t G T{E) where T(A)/£ is the equivalence classes of 
the equational theory induced hy £ and ~g denotes the equational theory in- 
duced hy £. We call Ag the equation-based abstraction by £ with the mappings 
ag : ^ and 'yg : ^ 2^(^) which are induced from rj, i.e. 

ag{L) = {77(f) I f G L} and jg{L) = {t \ rift) G L}. 

Example 1. Let 7^i be {f{x, y) f{g{x), h{y))}, £ be a set of equations consist- 
ing of {g{g{x)) = g{x) , h{h{x)) = h{x)} and Li be a recognizable tree language 
{f{a,b)}. Then, we have 

Hki)(-^i) = {/(5”(a),^”W) I ^^ > 0} and (5) 

7£ oa£((^^J(Li)) = {/(g"(a),/i""(6)) \n,m> 1}U {/(a,6)}. (6) 

In fact, (6) is recognizable whereas (5) is not and (6) includes (5). □ 

In general, for a set £ of equations, the condition (3) does not holds by the 
equation-based abstraction by £. From the next section, we present a technique 
to obtain a set of equations which can be used for solving verification problems 
in the sense that (3) holds as shown in Example 1. 

5 Verification Procedure 

For the function f-jz in the previous section {fn{L) = {^ I s t,s G L}LlLi), we 
adopt the following procedures. In the following, a state of TAs may have a tree 
structure. A state having a tree structure t may be written as ft) to emphasize 
that f is a state. We call a tree structured state (f) of the form t = /(fi, . . . ,tn) 
a term state, otherwise a constant state. See the following example. 

Example 2. Let A be a TA consisting of (c ^ q, g{q) q} with the final state q 
and TZ = {g{x) h{x)} be a TRS. If we add new transition rules h{q) {h{q)) 

and (h{q)) q with a new state (h{q)) to A, we can obtain a TA accepting 
(^^)(£(A)). Here, the state g is a constant state and {h{q)) is a term state. □ 

Procedure 1. (addtrans) This procedure takes a term f on T(lF U Q). If f has 
already been defined as a state, then the procedure defines no transitions. Oth- 
erwise the procedure defines new states and transition rules of A as follows: (i) 
If f = c with c a constant, then define c ^ (c) as a transition rule, (ii) If f = 
ffti, . . . ,tn) with / a function symbol of arity n, then define /((fi), ■ • ■ , ftn)) — *■ 
ft) and execute addtrans(fi) for 1 < 7 < n. □ 
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Procedure 2 . (modify) This procedure takes a TA A = (^,Q, Qf, A) and 
a linear TRS TZ on T{S,V) as inputs and outputs TA A as follows: For any 
rule I ^ r G TZ, any substitution a: V ^ Q and any state g S Q, if la 
q and ra q, then construct A' by adding (ra) ^ q to A and execute 
addtrans(rcr) where (ra) is a term state. That is, construct a new TA by adding 
new transition rules and states to satisfy that ra q holds. A transition move 
caused by (ra) — > g is called a rewriting move. □ 

We assume that any state not defined in addtrans is a constant state. Let Rec 
be the class of recognizable tree languages. In the following, we regard a TA A 
as a tree language C{A) and for a TRS TZ the procedure modify as a function 
modify^^: Rec Rec defined by ^ modify(^, 7?.). Although the function 
modify is not a strict implementation of f^, it is proved in [11, 12] that lfp{fTz) = 
Z/p(modify.j^). From this fact and the properties of recognizable tree languages, 
we can obtain the following theorem. For an integer k > 0, let modify^(^) be a 
TA obtained from a TA A by applying modify 7 ^ for k times. 

Theorem 1. [11, 12] For a verification problem (TZ, Li, Ly) (Problem 1 ), if there 
is an integer k > 0 such that modify^^(^) = modify^(^) where C{A) = Li, 
then (^^)(£(^)) = £(modify 7 j^(^)) and it is recognizable. □ 

This theorem says that if the procedure terminates for a given input, then the 
verification problem given by the input can be solved effectively. 



6 Verification Procedure with Abstraction 

In this section, first we give a verification procedure with abstraction. Then we 
consider a class of TRSs which do not need any abstraction. 

The basic idea of the construction of equations is to find contexts which may 
appear in terms in lfp{tu) repeatedly. For example, in Example 1, a context g(D) 
can be such a context. For such a context C, define an equation (^[(^[x]] = C[x], 
which intuitively means that once a term t containing C, i.e. t = (^'[(^[F]] where 
C is a context and t' a term, appears in lfp(fn), we approximate Ifpifn) by a 
tree language including terms of the forms (^'[(^"[t']] for n > 1. We try to find 
such contexts by analyzing a kind of overlapping relation between rewrite rules 
in TRS. We define a graph (Definition 3) for the analysis constructed from TZ. 
The overlapping relation is defined as follows. 

Definition 2 . Let A denote the root position. A term s sticks-out of a term t at 
(PijP 2 ) with Pi e 'Posv{t) and p 2 G T^osv{s) if for any position p with A ^ p A pi 
we have p G 'Pos{s) and the function symbol of s at p and the function symbol 
oft at p are the same and p\ diP 2 - If s sticks-out oft at (pi,P 2 ) and pi A P 2 , 
then we say that s properly sticks-out of t. 

Example 3. Let s and t be terms fy,{h{x), g{h{y)),b) and fz{a,g{x),g{y)), re- 
spectively. Then s properly sticks-out oft at (2. 1,2. 1.1). □ 
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Fig. 2. Conditions for four cases 



Definition 3 . The generalized sticking-out graph of a TRS TZ is a directed 
graph G = (V,E) where V = {(/—> r,w) | I ^ r € TZ,v € Var{l) U Var(r)} and 
each edge in E, defined as follows, has a weight. Let l\ r\ and I2 r2 be 
(possibly identical) rewrite rules in TZ. The following situations from 1 to ) are 
illustrated in Fig. 2 . 

E Iff2 properly sticks-out ofh/p' at (pi,p2) withp' G T^os{li), then E contains 
an edge from {I2 ?'2,?’2/p2) to {h — > r\,l\j(p' • pi)) with weight one. 

2 . Ifh/p' sticks-out of r2 at {pi,P2) withp' G T^os{li), then E contains an edge 

from {I2 ?’2,f2/pi) to {l\ r\,l\j(p' • P2)) with weight zero. 

3 . Ifr2/p' at properly sticks-out of h at (pi,P2) withp' G 'Pos{r2), E contains 

an edge from {I2 f2,r2l{p' • P2)) to {h ri,li/pi) with weight one. 

4. Ifh sticks-out ofr2/p' at (j>i,P2) withp' G 'Pos{r2), then E contains an edge 

from {I2 ‘>'2,r2l{p' • Pi)) to {h r\,l\/p2) with weight zero. 



Example 4 - Let TZ2,TZz and TZa be TRSs defined as follows. 



TZ2{v. h{f2{x,h{g{y)))) f2{g{k{y)), h{x)) 



TZ, 



\ 


g{x) - 


k{l{x)) . 


< V2 


k{x) - 


f {g{h{x))) 7^4 \ 


[ V3 


f \x) - 


-4 k{l'{x)) ^ 



ui ■■ g{f{k{k{x)))) g{f{k{h{x)))) 

U2-. h{f{x)) f{k{x)) 



Then the generalized sticking out graphs G-jz^ , and of TZ2 , TZ3 and TZ2 
respectively are shown in Fig. 3 . Let us see the construction of the generalized 
sticking-out graph G-jz^. Since the right-hand side of v properly sticks-out of 
h{f2{x,h{g{y))))/l, a subterm of the left-hand side, at ( 1 , 1 . 1 . 1 ), which is the 
case 1 of Definition 3 , there is an edge from (v, y) to (w, x) with weight 1 . More- 
over, since h{f2{x, h{g{y))))/l, a subterm of the left-hand side, sticks-out of the 
right-hand side at ( 2 . 1 , 2 . 1 . 1 ), there is an edge from (v,x) to (v,y) with weight 
0 due to case 2 of Definition 3 . □ 



For defining gxz in Sect. 3 , we consider a function V- — > Rec, called an 

abstraction operator defined as \/ = ° otE where and ue are defined by 

a set E of equations as in Definition 1 . Once we obtain an abstraction operator 
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0 1 1 

{v,x) {v,y) (vi,x) {V2,x) {V3,x) {ui,x)^ — (U2,x) 

1 1 1 ^ 

1 

G-R.2 Gtz 3 G-iZi 

Fig. 3. Generalized sticking-out graphs 



V, by using modify,^ and Vi we can define the sequence of TAs for 

a TA A and a TRS TZ as A^ ^ = (V ° modify 7 ^)"(^). If there is m such that 
= A^ we can take A^ as an abstraction of lfp{fn)- 
In our technique described below, the equations for abstraction are dynami- 
cally obtained during the iteration of procedure modify. In other words, instead 
of finding a set of equations statically from a given TRS and a TA, we use a 
sequence {En)n>o of sets of equations with C En+i for n > 0. Although 
it may not be necessary to construct a set of equations dynamically, in order 
to prove that an obtained set of equations satisfies the condition (3), we give a 
verification procedure by modifying the procedure modify. Let V" = lEn ° «£;„ 
be an abstraction operator defined from En for n > 0. Each En for n > 0 
is obtained during the computation of {AJf^ where A^ is defined as 

= (Vn o rnodify 7 ^)”(^). In this case, we still have that if there is m such 
that = AZU^^^ , then we can take as an abstraction of lfp{fn)- 

For constructing a set of equations for abstraction, we modify the procedure 
modify by adding supplementary information S as an argument. The new ar- 
gument S' is a set and an element in S is intuitively a heap of contexts. The 
heap increases or decreases according to the edges of the generalized sticking- 
out graph. If the generalized sticking-out graph has a cycle with weight one 
or more, the procedure introduces an equation by using the information in S. 
The procedure \/e, defined below, corresponds to introducing an equation for 
abstraction. 

Procedure 3. (e-modify) This procedure takes a TA A = {E, Q, Qf, A), a 
linear TRS TZ on T{E, V) and S and Se of tuples ((f), o, E[) of a state (t) G Q, 
a position o of f and a sequence H of vertices of the generalized sticking-out 
graph Gtz of TZ as inputs and outputs TA A and sets S' and S'' of the same 
things of S and Se which are defined by adding something to A and sets S and 
Se respectively as follows. For any rewrite rule I r G TZ, any substitution 
a: V ^ Q and any state q G Q, if 

la q and ra A*a E (7) 

then (1) construct A by adding {ra) ^ g to Si, (2) execute addtrans(rcr) and 
(3) do the following. For any variable x G Var{l), let Oa,,o(, be the positions of 
X in I and r respectively and Px be the state associated with x, i.e. l/ox = x, 
rjo'^ = X and xa = Px and do the following. 

1. For any position o' with A A o' A o(, add {{ra/o'),o" , {I r, x)) to S where 
o" is a position such that o' • o" = o(,. 
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2. If there is an element (px,Oh,H) G S for some Oh and H such that H = 
H' ■ {I' r' ^x') for some H' ,1' r' and x' and there is an edge from 

{V r', x') to (I r, x) in G-ji with weight one or 

with weight zero and \H'\ > 1, (8) 



then (a) if H has a form H = {I ^ r,x) • H" for some sequence H" , then 
add {px,Oh,H ■ {I ^ r,x)) to Se and (b) for any position o' with A ^ o' ^ 
o'x ■ Oh add ((rcr/o'), o" , H ■ {I ^ r,x)) to S where o" is a position such that 
o' ■ o" = o'x ■ Oh- □ 



Procedure 4. (Ve) The abstraction operator Ve takes a TA A = (iF, Q, Qf, 
A), a linear TRS TZ on T(A7,V) and sets S and Se of the same things as in 
e-modify as inputs and outputs TA A' which is defined from A as follows. 

1. For any element (j>x,Oh,H) in Se, (a) add an £-transition rule (px{oh ^ 
Px}) ^ Px to A and (b) execute addtrans((pa;{o/i ^ Px})) for defining A' . 
The e-rule {px{oh ^ Px}) Px defined above is called an abstraction rule 
and moves caused by an abstraction move is called an abstraction move. 

2. Finally, for any term state (<), if t {t') for some term state (t') with 

(f) yf (t) and t 7^^, (f), add an e-transition rule (t) (f) to A'. □ 



We mention about the equation C[C[a:]] = C[x] more precisely. We remark 
that if a state Px is a term state, Px can be written as Px = Cp^[qi, . . . ,qn] 
where qi is a constant state (1 < f < n). Also remark that a TA A can be 
seen as an order-sorted signature [2] by regarding each state as a sort and the 
set of terms of sort q {q is a, state of A) is defined by {t G T(lF) | t q}. 
We assume Cp^[qi, ... ,qn]/oh = qm for some m and write Xp for a variable of 
sort p. The corresponding equation for the transition (px{oh <— Px}) Px is 



a 






Qm 



_1 > 



qi j ■ 



'-gnJ 



= c„ 



+ 

Let e-modify,^ be a map (A,S,Se) (A',S',S'e) where (A',S",S'') is de- 
fined as e-modify(A, 7^, S', S'e) and Ve be (A, S, Se) (A',S, Se) where A' = 
\/e{A,TZ, S, Se)- We will write (Ve ° e-modify.j^)”(A) for the first component 
of (Ve o e-modify7^)”(A, 0, 0). In this case, we still have that if there is k such 
that (Ve ° e-modify7 ^)^+^(A) = (Ve ° 6"modify7^)^(A), we can take the TA as 
an abstraction of lfp{tTz). Summarizing the discussion above, we have a sound 
solution to Problem 1. 



Theorem 2. For a verification problem {TZ, Li, L 2 ) (Problem 1) if there is k 
such that (VE°®"*^°bify7^)^“'"^(A) = (VE°®"*^°bify7^)^(A) where A is a TA such 
that T(A) = Li, then (^^)(£(A)) C o e-modify7^)^(A)) and £((Ve ° 

e-modify 7^)^ (A)) satisfies (3) in Sect. 4 (i-e- d- is recognizable). □ 

If (Ve °e-modify7^)^(A) in the theorem above satisfies £((Ve ° e-modify^)'=(A)) 
C L 2 (the inclusion problem can be solved effectively due to the properties of 
recognizable tree languages), then we can conclude that (^y(Ti) c L 2 . 

Example 5. Let A be a TA consisting of {a ^ qa,b ^ qs, f{qa, qt) qf} with 
a final state qf, i.e. T(A) = {/(a, 6)} and TZ\ be the TRS {u: f{x,y) f{g(x), 
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h{y))} in Example 1. The generalized sticking-out graph Gtzi of cycles 

of weight one. 

i^{v,x) (9) 

As mentioned in Sect. 4, lfp{fni) is not recognizable (see (5)). Let us apply 
e-modify. Since f{qa, Qb) ^(4 Qf and f{g{qa), Hib)) 7^(4 qf, we have the following 
new transition rules. 

g{Qa) {g{qa)) Hqb) iHqb)) 

f{{g{qa)),{Hqb))) {f{g{qa),h{qb))) {f{g{qa),Hqb))) qf 

The procedure also adds elements {{g{qa)),l,{v,x)) and {{h{qb)) , I , {v , y)) to 
the set S' at 1 in e-modify. Since there is no element (p,o,H) in S such that H 
has the form v ■ H' ■ v for some v and iL', the abstraction operator \/e does 
nothing. For the second step, since f{{g{qa)),{HQb))) {f{g{qa),h{qb))) and 

f{g{{g{ga))),h{{h{qb)))) -h*A {f{9{qa),Hqb))), the procedure e-modify generates 
new transition rules and new elements for the set S as follows. 

g{{g{ga))) {g{g{qa))) h{{h{qb))) {h{h{qb))) 

f{{g{g{ga))),{HHqb)))) {f{g{g{qa)),Hh{qb)))) 

{f{g{g{qa)),Hh{qb)))) {f{g{qa),Hqb))) 

{{g{g{ga))), l, (v, x)) ((h(h(qb))}, l, (v, y)) 

((g(g(ga))}, 1 • l, (v, x) ■ (v, x)) ((h(h(qb))}, 1 • 1, (v, y) • {v, y)) 

{{g{ga)), 1, (w, a;) • (w, a;)) {(HQb)), 1, {v, y) ■ {v, y)) 

Here we also obtain Se as follows. 

{{g{ga)), 1, {v, x) ■ {v, x)) {{h{qb)), 1, {v, y) ■ {v, y)) 

By Vs of Procedure 4 and the set Se above, we obtain the following transitions. 

{g{g{ga))) {g{qa)) {h{h{qb))) {h{qb)) (10) 

Due to the abstraction moves by (10), there are no transition rules and no states 
to add. Finally, we have a TA whose accepting tree language is 

{/( 5 "(a), /i”^(&)) I n, m > 1} U {/(a, b)}. (11) 

In fact, (11) is recognizable and (11) includes (5). □ 

Example 6. Consider the TRS 7^2 = {v- Iv —>■ where ly = f 2 {x,h{g{y))) 
and = f 2 {g{k{y)) , h{x)) in Example 4 and TA A consisting of the transition 
rules {a ^ qa,b qb,g{qa) qi,g{qb) q 2 ,h{q 2 ) 93 , / 2 (< 7 i, gs) ^ 9/}- The 

accepting language is L{A) = {f 2 {g{a),h{g{h)y)}. By procedure e-modify, since 
lyGi qf and r„cri 7 ^* 9 / with a\ = {x ^ q\,y ^ 9 h}, we have the following 
new transition rules 

h{qi) (fi(9i)) k{qb) {k{qb)) g{{k{qb))) {g{k{qb))) 

f 2 {{g{k{qb))), {h{qi))) (r„(Ji) ^ qf 
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and elements {{h{qi)), 1 , x), {{k{qb)), 1 , y) and {{g{k{qb))) , 1 . 1 , y) in S where the 
name of the rewrite rule is omitted. For the second step, consider the sequence 
lyC^2 {rv<yi) with a2 = {x^ {g{HQb))),y ^ Qa}- Since r„(j2 y^* (r„cri), we 
have the following new transition rules 

HigiHgt)))) {h{g{k{qb)))) k{qa) (fc(<?a)) g{{k{qa))) {g{k{qa))) 

h{{g{k{qa))) , {h{g{k{qb))))) -> (r^CTa) (r^cra) ^ (r„cri) 

and elements {{h{g{k{qb)))) ,l,x), {{k{qa)) ,l,y) and {{g{k{qa))) ,l-l,y) of S'. 

For the third step, consider the sequence (j'jjO'a) with CT3 = {a; 

{g{k{qa))),y {k{qb))}- Since (r^CTa), we have the following new tran- 

sition rules and S 

^((5(fc(<?a)))) ^ (/i(g(fc((7a)))) k{{k{qb))) {k{k{qb))) {rycrz) {ryOy) 

h({g{k{k{qb)))) , {h{g{k{qa))))) {ryas) g{{k{k{qb)))) {g{k{k{qb)))) 

{{h{g{k{qa)))), 1, x) ((k(k(qb))}, 1, y) ((g(k(k(qb)))}, 1.1, y) 

((k(qb)),l,yy) ((k(k(qb))}, 1 . 1 , y ■ y) ((g(k(k(qb)))}, 1 . 1 . 1 , y ■ y) 

with an element {{k{qb)),l,y ■ y) of Sg. By the procedure \/e, the following 
transition rules corresponding to an abstraction are added. 

(HHqb))) iHgb)) {g{k{k{qb)))) {g{k{qb))) 

For the forth step, consider the sequence lya^ {vya^) with ga = {x ^ 
{g{k{k{qb)))) , y 1-^ {k{qa))}. Since XyOA ~h* {TyG^), we have the following new 
transition rules and S 

HigiHHqb))))) {HgiHHqb))))) k{{k{qa))) {k{k{qa))) (ryGi) {rya^) 

f2{{g{k{k{qa)))) , {h{g{k{k{qb)))))) (r„(T4) g{{k{k{qa)))) {g{k{k{qa)))) 

{{h{g{k{k{qb))))),l,x) {{k{k{qa))),l,y) {{g{k{k{qa)))) ,l.l,y) 

{{k{qb)), l,yyx) {{k{k{qb))), 1.1, y y x) {{g{k{k{qb)))) , 1.1.1, y y x) 

{{k{qa)),l,y y) {{k{k{qa))),l.l,y y) {{g{k{k{qa)))),l.l.l,y y) 

with an element {{k{qa)) ,l,y • y) of Sg. By the procedure \Je, the following 
transition rules corresponding to an abstraction are added. 

iHHga))) {k{qa)) {g{k{k{qa)))) {g{k{qa))) 

Due to those abstraction rules, the procedure terminates and we obtain the 
following language. 

(Vl o e-modify.;^)^(^) = {f2{g{k'^{a)),h{g{k"'{b)))) | n, m > 1 } U 

{f2{g{k'^~^^{b)),k{g{k^{a)))) | n, m > 1 } U 
{/ 2 (ff(a), h{g{b))), f2{g{k{b)), h{g{a)))} (12) 

On the other hand, we can observe the following fact. 

(/P(t7?,j = {/2(ff(fc”(a)), h{g{k'^{b)))) | n > 0 } U 

{/2(ff(fc”+'(6)),%(fc"(a)))) |n> 0 } ( 13 ) 

We can see ( 12 ) is recognizable whereas ( 13 ) is not and ( 12 ) includes ( 13 ). □ 
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In the rest of this section, we will characterize a class of TRSs in which any 
abstraction is not needed to compute lfp{f). As a consequence, we will give a 
new decidable subclass of TRSs which effectively preserve recognizability. The 
outline is as follows. First, we show that if no abstraction is added during the 
iteration of e- modify, then the process terminates; this means that we can obtain 
the strict implementation for Z/p(f) by Theorem 1. Then we show that if an input 
TRS satisfies a certain condition (L-GFPO-TRS, Definition 4), no abstraction 
rule is added. 

For a state q G Q which may have a tree structure (i.e. the state q may 
be defined in addtrans), define the number of layers of q, denoted layer((7) as 
follows: (i) if <7 is a constant state, then layer((7) = 0 and (ii) if g = fra jo) with 
/ ^ r G 7?., o G Vos{r), r/o is not a variable, Var{r/o) = {x\, ■ . ■ ,Xn\ and 
a = {xi qi \ I < i < n}, then layer((7) = 1 + max{layer((7i) | 1 < z < n}. 
For a TRS TZ and a TA A, we will consider a sequence of TAs with 

2/, A„) where = (vl ° e-modify.;^)"(A). 

Lemma 1. Assume (IF, Qy, Ak) is defined as above for k > 0 with an input 
TRS TZ. Also assume that Ak does not contain any abstraction rule. Let I r 
be a rewrite rule in TZ, a be a substitution and q be a state which are used at 
(1) o/e-modify. For a variable x G Var{l) such that xa is a term state, then 
there is an element {xa, Oh,H' ■ {I' r' , x')) in S such that there is an edge from 

{V r',x') to {I r,x) in the generalized sticking-out graph Gn with weight 
one or the edge and H' are satisfying condition (8) in e-modify. This situation 
implies that new elements are added to S at 2 of (3) in e-modify. 

Proof. The proof is shown by induction on the number of k. The base case holds 
since any state in Qq is a constant state. Assume the lemma holds for A: = n — 1 
and consider the case when k = n. Let be the position of a: in ^ and Px be a 
term state such that xa = Px. Let us consider the sequence la q at (7) of 
e-modify and how the number of layers changes from Ox to the root. There are 
four cases: 

1. A rewriting move is caused at a certain position from Ox to the root in the 

sequence la —>■* q. Let o be the outer most position among them. There are 

two different subcases: 

(a) The number of layers does not increase at any o' with o ^ o' ^ Ox. 

(b) There is a position o' with o ^ o' ^ Ox such that the number of layers 
increases at o'. 

2. There are no rewriting moves from Ox to the root in the sequence la —>■* q. 

There are two subcases: 

(a) The number of layers does not increase at any o' with o < o' < Ox. 

(b) There is a position o' with \ < o' < Ox such that the number of layers 
increases at o' . 

Assume case 1(a). The transition rule which causes the rewriting move at o 
can be written as fr' a') q' for some I' ^ r' G TZ, a' and ef . When the rewrite 
(r'cr') ^ g' is introduced, fl' a') q' holds. Let o" be a position such that o-o" = 
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Ox and x' be a variable such that r'/o" = x' . By inductive hypothesis, there is 
an (pxjOhjH) in S for some Oh and H and an element {px,Oh,H ■ (/' ^ r',x')) 
is added to S. Since there is no rewriting move from Ox to o and since Px is a 
term state, we can see that r' properly sticks-out of l/o, case 1 in Definition 3. 

Assume case 1(b), i.e. there is a position o' with o < o' < Ox such that the 
number of layers increases at o' . Let o( be the inner-most position among them. 
Let I' r' be the rewrite rule which is used for defining the rewrite move at 
o. Then the state just before the rewriting move at o can be written as {r'a') 
since the transition rule which causes the rewrite move has the form (r'a') q' 
for some state q' . Let o\ and oj be the positions such that o • oi = Ox and 
o ■ o'l = o' respectively. By the definition of o', we have r'/o( S V. From the 
fact that there is no rewriting move from o' to o, the rule used there is defined 
in addtrans, which implies that each function symbol from o' to o is coincide in 
l/o and r'. This means that l/o sticks-out r at {o'i,o\), case 1 in Definition 3. 
On the other hand, the state Px can be written as the form {r" a" /o") for some 
I" r" £ TZ, a, substitution a" and a position o". Since there is no rewriting 
move from Ox to o', the state at o' can be written as {r"a" /o'{) with o'{ o" . Let 
p' = {r"a" /o'l), x' = r'/oj and o'" be a position with o'{ ■ o'" = o". Remark that 
x'a' = p' and p' /o'" = {r" a" / o"){= px)- When the transition rule {r'a') q' is 
introduced, I'a' q' holds. By inductive hypothesis, there is an element of the 
form (p', ojj, H" ■ {I" r" , x")) for some o'f^,H" and x" in S and an element 

{px, o'/,,H" ■ (/" ^ r", x") ■ {I' ^ r', :r')) (14) 

is added to S with o'" • o'^ = o'^ since o'{ ^ o" and Px = p' /o'" . According to the 
fact that there is an edge from (F ^ r',x') to {I r,x) with weight zero and 
(14), which satisfies condition (8) in e-modify, the lemma holds. 

Assume case 2(a). The proof of this case is similar to case 1(a). Since there 
is no rewriting move from Ox to the root, the state attached at the root position 
can be rewritten as {r'a' /o') for some V ^ r' £ TZ, a' and o' G Vos{r') and 
Px can be written as {r'a' /o") with o' ■ Ox = o" . Moreover, we can see that the 
function symbols in I and r'/o' on the path from Ox to the root are coincide with 
each other, which is in case 3 of Definition 3. By using inductive hypothesis, in 
the same way of case 1(a), we can see that the lemma holds. 

Assume case 2(b), i.e. there is a position o' with o ^ o' ^ Ox such that 
the number of layers increases at o'. The proof of this case is similar to case 
1(b). Let o' be the inner-most position among them. Since the number of layers 
is increased at o', the state attached at the root position can be written as 
{r'a' /o') for some I' r' £ TZ, a' and o' £ 'Pos{r'). Since there is no rewriting 
move from o' to the root, the function symbols in I and r'/o' on the path from 
o' to the root are coincide with each other, which is in case 4 of Definition 3. 
By using inductive hypothesis, in the same way of case 1(b), we can see that the 
lemma holds. □ 

The following proposition says that if no abstraction rule is added during the 
iteration of e-modify, then the process must terminate. 
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Proposition 1. If there is no k > 0 such that contains an abstraction 

rule, then there is m >0 such that . 

Proof. The proof is by contradiction. Assume there is no m such that = 

A'fl which implies that the number of the states of the TAs during the con- 
struction is unbounded. In other words, there is no bound on the size of term 
states in the constructed TAs. A state introduced during the construction has 
the form (C„[- • • [Ci[g]]]) where g is a state of the original automaton and Ci 
has the form riUi/oi for some rewrite rule It ^ ri G TZ, a, substitution ai and 
a position Oi (1 < i < n). So there are states of the form (C„[- • • [Ci[q]]]) for 
any n > 1. On the other hand, when the state (C'i[g]) is introduced, an element 
((C'i[g]), oi, {h ri,a;i)) is added to S' at 1 of (3) in the procedure e-modify for 
some position o\ and variable x\. Moreover, for any n > 2, due to Lemma 1, 
an element • • [C'i[< 7 ]]]), o„, (/i ^ r\,x) • • ■ {In r„, x„)) is added to S for 

some {li ri,Xi) and position Oi with 2 < i < n and C'„[- • • = C\[q\ 

at 2(b) of (3) in e-modify. Since the numbers of the rewrite rules and the vari- 
ables of in TZ are finite, there are integers j\ and j 2 such that ji < j 2 and 
{{C 3 A---[CM\]),Oj,{li ri,xi)---{lj^ with {Ij^ = 

{Ij^ —>■ rj^,Xj^). In this situation, from the construction 1 of e-modify, we can see 
that there is an element {{Cj^ [■ • • [Cjy [?^]]]), o', {Ij., rj,^ , Xjf) • • • {Ij^ rj^ , Xj.^)) 
for some q' and o'. In this case, since ^ = (^j 2 ^ Xj.^,Xj^), at 2(a) 

of (3) in e-modify, an element is added to Se and an abstraction rule is added in 
the procedure \/e, a contradiction. □ 

The following proposition says about the relation between abstraction rules and 
the generalized sticking-out graph. 

Proposition 2. If an abstraction rule is added in the procedure \/e, then in the 
generalized sticking-out graph Gn, there is a cycle with weight one or more. 

Proof. An abstraction rules is added if and only if there is an element in S of the 
form {px ,Oh,v-H'-v) for some Px , Oh and v, which is also an element of Se . Since 
an elements of S is added according to G-jz, we can see that if there is no cycle in 
G-jz, no element is added to Se. Let {p, o, H) be an arbitrary element in S with 

H = {l\ ^ ri,xi) {In ^ Tn, Xn) and n > 2. Due to the condition (8) at 2 in 

e-modify, there is an integer f > 1 such that there is an edge from {U ri,Xi) 
to {li+i ri+i,Xi+i) with weight one. This means that if an element is added 
to Se, then there is a cycle with weight one or more. □ 

Definition 4. A TRS IZ is a generalized finitely path-overlapping term rewrit- 
ing system (GFPO-TRS) if the generalized sticking-out graph ofIZ has no cycle 
of weight one or more. 

We write L-GFPO-TRS for the class of linear GFPO-TRSs. As a corollary of 
Propositions 1 and 2 and Theorem 1, we obtain the following theorem. 

Theorem 3. A TRS in L-GFPO-TRS effectively preserves recognizability. □ 
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Example 1. Let Tl = f 2 {x,y) f 2 {a, g{x))} be a TRS. The generalized 

sticking-out graph G-jz of TZ has two vertices {v, x), {v, y) and one edge (w, x) 
(v,y) with weight 1. Since Gyz has no cycle, 7Z belongs to GFPO-TRS. □ 

Here, we compare GFPO-TRS with the class right-linear FPO-TRS (RL-FPO- 
TRS) [12], that is known as the widest decidable subclass of TRSs which ef- 
fectively preserves recognizability. The class RL-FPO-TRS includes both right- 
linear monadic TRSs [10] and linear generalized semi-monadic TRSs [6]. The 
class FPO-TRS is defined by sticking-out graphs [12], which can be re-defined 
by using the notion of a generalized sticking-out graph. Let 4> he a, graph homo- 
morphism defined for generalized sticking-out graphs as follows. For a TRS TZ, 
a vertex (v,x) of the generalized sticking-out graph Gn of TZ with v & TZ and 
X G Var, define 4>{v,x) be v and for an edge e: {v,x) {v' ,x') with weight w, 

define (/)(e) be an edge v ^ v' with weight w. For a TRS TZ, the sticking-out 
graph of TZ is (j){Gn) where G-jz is the generalized sticking-out graph of TZ. 

Definition 5. [12] A TRS TZ is finitely path overlapping (FPO-TRS) if the 
sticking-out graph of TZ has no cycle with weight one or more. 

According to the definition of the (generalized) sticking-out graph, we can see 
that FPO-TRS C GFPO-TRS. Moreover, by Example 7, we obtain the following 
inclusion relation. 

Propositions. FPO-TRS C GFPO-TRS. □ 

By the previous proposition and the fact that RL-FPO-TRS includes non-left- 
linear TRSs, we obtain a new result on a decidable subclass of TRSs which 
effectively preserves recognizability. 

Proposition 4. L-GFPO-TRS and RL-FPO-TRS are incomparable. □ 



7 Discussion 

There are (even if linear) TRSs for which an abstraction cannot be obtained 
by our verification technique proposed in this paper. In other words, the verifi- 
cation procedure with abstractions (e-modify) does not always terminate. More 
precisely, the abstraction rules proposed in this paper correspond to equations 
of the form (^[(^[x]] = C[x] for a context G. For the TRS TZz in order to obtain 
abstraction by equation-based abstraction, we may need equations of the form 
C'i[C' 2 [x]] = C' 2 [C'i[x]] where G\ and G 2 are contexts. In general a TRS whose 
generalized sticking-out graph has two cycles of weight one or more which share 
the same vertex cannot be abstracted by our technique. To overcome such cases, 
a new abstraction operation Vs instead of Ve may be able to used where vi; 
is defined by replacing (1) and (2) of Ve by (!’) adding an £-transition rule 
iPx) Pxjoh to A. This move corresponds to an equation of the form G[x] = x 
where we can regard x as a variable of sort Px/oh as mentioned in Sect. 5. 
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Abstract. Logical systems in natural deduction style are usually pre- 
sented in the Gentzen style. A different definition of natural deduction, 
that corresponds more closely to proofs in ordinary mathematical prac- 
tice, is given in [Fitch 1952]. We define precisely a Curry- floward in- 
terpretatiou that maps Fitch style deductions to simply typed terms, 
and we analyze why it is not an isomorphism. We then describe three 
reduction relations on Fitch style natural deductions: one that removes 
garbage (subproofs that are not needed for the conclusion), one that re- 
moves repeats and one that unshares shared subproofs. We also define 
an equivalence relation that allows to interchange independent steps. 
We prove that two Fitch deductions are mapped to the same A-term if 
and only if they are equal via the congruence closure of the aforemen- 
tioned relations (the reduction relations plus the equivalence relation). 
This gives a Curry-ffoward isomorphism between equivalence classes of 
Fitch deductions and simply typed A-terms. Then we define the notion 
of cut-elimination on Fitch deductions, which is only possible for de- 
ductions that are completely unshared (normal forms of the unsharing 
reduction). For conciseness, we restrict in this paper to the implicational 
fragment of propositional logic, but we believe that our results extend to 
full first order predicate logic. 



1 Introduction 

For Gentzen style natural deduction, ([Gentzen 1969]) there is a well-known no- 
tion of rewriting: cut-elimination. This is a procedure for eliminating ‘detours’ 
in a logical derivation that arise from first applying an introduction rule and 
then an elimination rule for a connective. This notion of reduction can be de- 
fined more concisely by associating typed A-terms to natural deductions: there 
is the Gurry-Howard isomorphism between natural deductions and simply typed 
terms and cut-elimination in the first corresponds to /3-reduction in the lat- 
ter (see [Howard 1980]). A different definition of natural deduction is flag style 
natural deduction defined by [Fitch 1952]. See [Bornat and Sufrin 1999] for a 
nice implementation of a proof assistant based on flag deductions. Here, deduc- 
tions are linear, written vertically where every line consists of a formula and a 
motivation for the derivability of that formula (referring to previous lines). Fur- 
thermore, there is a notion of ‘scope’ (of an assumption) which is indicated by a 
flag. Apart from the closer correspondence to proofs in mathematical practice, 
a positive aspect is that subproofs can be shared. A negative aspect is that, due 
to the sharing, the notion of cut-elimination is blurred. Also, the order of the 
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steps in a Fitch style deduction is somewhat arbitrary: a flag deduction can be 
seen as a linearization of a Gentzen style natural deduction tree and this lin- 
earization involves some arbitrary (bureaucratic) choices. This implies that one 
Gentzen style tree deduction corresponds to many flag deductions. We make this 
precise by using simply typed A-calculus (see [Barendregt 1992]) and to define a 
Gurry-Howard formulas- as-types (and proofs- as-terms) interpretation from flag 
deductions to typed terms. The Gurry-Howard interpretation that we define here 
is not the only possible one. We will come back to this point briefly in Section 5. 
The interest of our interpretation lies in the fact that it ignores those aspects of 
flag deductions that can be seen as ‘bureaucracy’. To keep things simple and for 
space restrictions, we restrict here to simply typed A-calculus with just arrow 
types and for the logic to propositional logic with just implication. 



2 Flag Style Natural Deduction 

We consider the implicational fragment, so the set of formulas. Form, is built up 
from a set of parameters. Par, using the implication The rules have the same 
style as for Gentzen style tree deduction, fixing the meaning of a connective by 
saying how to eliminate (an if-rule) it and how to introduce it (an J-rule). 



Flag deduction, a first definition 

Definition 2.1. The rules for natural deductions in flag style are the following. 




Remark 2.2. The order in which the lines appear in a flag deduction should be 
exactly as suggested by the above diagrams, except for the rule ^-E, where 
A^B and A may be interchanged. All rules can be applied ‘under a flag’. Fur- 
thermore, the repeat rule and the ^-E rule can take their premise (the B, resp. 
the A and the A^B) from arbitrarily high, with the proviso that B must be ‘in 
scope’, i.e. it must not be ‘under a closed flag’. 



The repeat rule allows to use one sub-deduction several times. Its use will be 
discussed later. Some aspects of the definition are vague: we have not defined 




136 Herman Geuvers and Rob Nederpelt 



what it means for a formula to be ‘in scope’. The idea is that the ^-I rule closes 
a sub-deduction and that the formulas in that sub-deduction are not in scope 
anymore. The definition of flag deductions above lacks precision, especially if we 
want to study their structure in detail. We will therefore make the definition 
more precise in Definition 2.6, but first we give some examples. 



Example 2.3. The following four examples give an impression of flag deductions. 



1 

2 

3 

4 

5 

6 
7 



n 



m 

m + 1 
m + 2 
m + 3 



G>1 



A^B 

A 

~ l~A 

B ^E, 1, 2 

A^B ^I, 3, 4 

A^A^B ^I, 2, 5 

{A^B)->A->A->B ->1, 1, 6 

Ds 



A 



A- 


.^A^B 




A 




R, n 


A- 


^B 


— m, m + 1 


B 




— >E, m + 2, m + 1 



1 

2 

3 

4 

5 

6 

7 

8 
9 



D2 

1 A 

2 ~ j~B 

3 A R, 1 

4 B^A ^I, 2, 3 

5 A^B^A ^I, 1, 4 



Di 

A-^B^C 
I A^B 



A 




^E, 2, 3 


B^C 




^E, 1, 3 


C 




^E, 5, 4 


A^C 




^I, 3, 6 


\^B)^A- 


-^C 


^I, 2, 7 


->B^C)-. 


■(A^B)^A^C 


^I, 1, 8 



In Di , there are two possible ways of deriving B on line 4 ^-E, 1, 2 or if , 1, 3. 
As it is recorded in the motivation at the end of the line (^-E, 1,2 in this 
case), we can distinguish these two deductions: we will consider these two flag 
deductions as different. In D 2 and we see two possible uses of the repeat rule. 
Di is a derivation of a well-known axiom of Hilbert style deduction. 



In £>3 we can avoid the use of (repeat), because we can take premises for the 
^-E rule from arbitrary high; the use of an explicit (repeat) is for readability 
only. In D 2 , we can only avoid the use of (repeat) if we allow ^-introduction 
without explicitly writing the conclusion as the last formula. It’s a matter of 
taste (and choice) whether one wants to allow this. If one does, we can omit the 
use of (repeat) completely from our deductions. We choose for this option, so we 
can change D 2 into the following correct deduction. 



D 2 



1 

2 

3 

4 



A 
I B 
B^A 
A^B-^A 



I, 2, 1 
I, 1, 3 
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Flag deduction, an improved definition. We have already pointed out that Def- 
inition 2.1 is a bit informal, especially as to which formulas are ‘in scope’ (and 
may henceforth be repeated or used in the ^-E rule). To define mappings be- 
tween flag deductions and typed A-terms, we give a more precise definition of 
flag deductions. In this definition, a flag deduction consists of a sequence of 
tuples {Io,Aq, mo), {h, . . . , (/„, An, m„). Here each tuple is of the form 

{l,A,m), where I G I is the label, taken from a countable set I (usually N) A 
is a formula (the formula derived at that line) and m is the motivation for the 
derivation. This motivation contains the following information: which rule has 
been applied to derive the formula and on which lines the derivation is based. 
The motivations m will be of the following forms. (We write — to mean ‘noth- 
ing’, to be used for hypotheses.) 



m 


meaning 


^-E, ^1, 12 
^-I, l\, h 
R,l 


hypothesis ( “raising” a flag) 

-^-elimination on the formulas on the lines with labels l\, I 2 
-^-introduction on the formulas on the lines with labels h, I 2 
repeat the formula on the line with label 1 



Definition 2.4. 1. If E is a sequence of tuples {l,A,m) as above where each 

label occurs at most once as a line number, we call it a pre-deduction. 

2. Given a pre-deduction E and an V G X, we say that /' is A7-fresh if I' does 

not yet occur in any of the tuples {I, A, m) of E. 

3. We say that the formula A is on line I in E (or just A is on line I, if E is 

clear from the context), if the tuple {I, A, . . .) occurs in E. 

We will write a pre-deduction in the shape of a flag deduction, like the ones 
in Example 2.3. So a line (m. A, — ) is depicted as 



m I A 

This raises a flag, whose “flagpole” we extend to the last line with and ^-I, m, I 
motivation. 

Crucial notions in the definition of flag deductions are the scope of a deduc- 
tion and the flag of a deduction. Given a deduction E, Scope(A7) will be the set 
of lines in E from which we can ‘use’ formulas (at the end of E). Flag(A7) is the 
line I of the ‘last open flag’. 



Definition 2.5. For a pre-deduction E, we define the scope of E, Scope(A7), 
as follows^ 



Scope 





El 


\ 


m 




A 








E 2 




V 


B 


^-I, m,n j 



= Scope(A7i) U {(Z, B)} 



^ For clarity, we give this definition by writing the deductions graphically. We could 
equivalently give it on the basis of the pre-deductions of Definition 2.4, but that just 
blurs the presentation. 
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Scope 




Scope(Z') U{(;,A)} ifmj^ [^-I, 



In the first clause, we have m, n] on the last line and we “search” upward 
for the line m containing a hypothesis (flag); if there is no line m or if line m 
contains no hypothesis, the scope is 0. 

For S a pre-deduction, we define Flag(Z') as follows. 



Flag 



I A 







El 


\ 


Flag 


m 




A 








^2 






V 


B 


^-I, m,n J 



(I, A) 



Flag(Ifi) 



Flag 



A 



^ = Flag(F') otherwise 



Note that Scope may yield an empty set and that Flag may he undefined. 
Definition 2.6. We inductively define the notion o/flag deduction. 

1. (Flag raising) If S is a flag deduction or E = % and I is a fresh label, then 



: E 

I I A 

is a flag deduction. 

2. (^-E) If E is a flag deduction with {h, A^B), {I 2 , A) G Scope(F') and I is 
fresh, then 

: r 

I B — >-E,li,l 2 

is a flag deduction. 

3. (^-I) If E is a flag deduction with Flag(i7) = (li,A), (l 2 ,B) G Scope(F’) 
and I is a fresh label, then 

: r 

I A — >B — >-I,li,l 2 

is a flag deduction. 

4 . (Repeat) If E is a flag deduction with {I', A) G Scope(i7) and I is a fresh 
label, then 

: r 

I A R,V 

is a flag deduction. 
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Definition 2.7. Let S be a flag deduction. 

1. The conclusion of E is the formula on the last line of E. 

2. The assumptions of E are the formulas in the flags in E that are open (i.e. 
that have not been closed by an ^-I rule). More formally, the assumptions 
of E are the formulas A for which 

31 G I{{1, A,-) G E A (/, A) G Scope(Z')). 

3. For A a set of formulas and A a formula, A\- f A if there is a flag-deduction 
E with conclusion A and assumptions in A. 



2.1 The Problem with Cut-Elimination 

In natural deduction, we speak of a cut if we first introduce a connective (via 
an intro rule) and then immediately eliminate it (via an elim rule for that same 
connective). In our case, that means: doing an — >-I to introduce, say A^B and 
then doing an ^-E to derive B. (In full proposition logic there are more notions 
of cut: “commuting cuts”, see [Prawitz 1965]) that allow deduction rules to be 
interchanged, but that’s not of interest here.) In Fitch style, this would amount 
to the following, where we denote the process of cut-elimination by =^c- 



1 



n 

n-\-l 



m 



I 



A 

E 

B 

A-^B 

e 

A 

n 

B 



■I, 1, n 




0 

A 

E[mll] 

B 

n 



E, n -I- 1, TO 



The problem here is that the right derivation may not be well-formed: if in the 
sub-derivations 0 or II the formula A-^B on line n-l-1 is used, the right hand side 
derivation has invalid line references (referring to non-existent lines) . The prob- 
lem with cut-elimination is due to sharing of sub-derivations. To give a precise 
definition of cut-elimination we first define the formulas-as-types interpretation 
from flag deductions to simply typed A-calculus. 



3 Formulas-as-Types for Fitch Style Natural Deduction 

For flag deductions, we define an interpretation into the set of simply typed 
A-terms. For the mapping back, we will need labeled simply typed A-terms (to 
be able to restore all the labels in the flag deduction). Labeled terms are terms 
where all sub-terms (except the variables) are labeled with a label from I: 



LTerm ::= VarJ^P | (LTerm LTerm)^ | (AVarj''P.LTerm)^ 
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The typing rules are the usual: we allow any I G J to be used as a label. So we 
have 

- xf : A, 

- {MNY -.BUM: A^B, N : A imd I G I, 

- {Xxf.My : A^B a M : B andl Gl. 

If we want to denote the label of a sub-term explicitly (in an application or an 
abstraction) we write or {Xxf .M^^y . 

Definition 3.1. The set of labels and variable indices of a labeled X-term M 
will be denoted by lab{M). So, 

- lab{xf) = {i}, 

- labliMNy] = {1} U lab{M) U lab{N), 

- lab{{Xxf .My) = {l,i} U lab{M). 

Similarly, we will denote the set of lines of a flag deduction S by lab{E). (These 
are the ‘line numbers’ that occur in E, which are taken from the same index set 
X of the labels and indices of X-terms.) 

There is a straightforward mapping from the labeled to the unlabeled terms, 
by just erasing labels. We denote it by |_|, so if M G LTerm, then \M\ G 
Term. We view a labeled term as a specific representation of an unlabeled 
term. Stated otherwise, we consider the terms modulo relabeling. However, we 
do not just allow any kind of relabeling, but only injective ones, because we 
want to be able to distinguish, e.g. Xf^^^^^.Xg^^^.Xx^.{{f{gx)'^)^{gx)^y 
and Xf^^^^^.Xg^^^.Xx^.{{f{gx)^)^{gx)^y. 

Definition 3.2. A relabeling is an injective map r : X — > X. By adding a la- 
beling to a simply typed X-term N, we mean to construct a labeled simply typed 
term M such that \M\ = N and all labels and variable-indices in M are unique 
(i.e. distinct sub-terms of M have different labels and similar for variables). 

A relabeling r : X ^ X extends immediately to a map on labeled simply 
typed terms and to a map on flag deductions. If the labeled term M arises from 
P as a result of some relabeling r, we say that M is a relabeling of P. 

For mapping simply typed A-terms to flag deductions, we first add a labeling 
and then we define the associated flag deduction. The mapping of flag deductions 
to simply typed A-terms can be defined directly (without using labeled terms) . As 
we will be using the labeled terms later, we define the map from flag deductions 
to labeled terms. 

Definition 3.3. The interpretation of a flag deduction E as a labeled simply 
typed X-term, |A7]^, is defined as follows. (We use the cases of Definition 2.6.) 

1. (Flag raising) If the last rule in E is a flag, then {EJ^ = xf. 

2. (^-E) If the last rule in E is ^-E, then then = (|X'<^i]'^|A'<l 2 ]’^)*. 

3. (^-I) If the last rule in E is -^-I then |A7]'^ = {Xxf^.\E<l 2 \^y . 
j. (Repeat) If the last rule in E is R, then 
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Here E<1 denotes the pre-deduction E up to and including 1. The interpretation 
of a flag deduction as a simply typed term is defined by just erasing the labels, 
so 

When treating examples, we will be using the usual notation for flag deduc- 
tions, with real flags and flag poles to indicate the scope of a flag. It should 
be clear how we can transform the formal notation of flag deductions (as used 
above) into a deduction with ‘real’ flags and flag poles. 

Example 3. 4- We show the interpretation of two flag deductions as typed A- 
terms. For readability, we write the type labels of the variables only in the 
A-abstraction. 




The typed A-term associated to these terms are .\x 2 -{xiX 2 )x 2 and 

Xx^ .Xx2 -Xi- 

Theorem 3.5 (Soundness of |— ]). If E is a flag deduction with conclusion 
A, then lAf] : A. Moreover, if the assumptions of E are B\, . . . , Bn, with labels 
ii, ...,in, respectively, then FF(|A7]) = {xff,. . . ,xffl}. 

Proof. By induction on the flag deduction E. □ 

In the definition of the opposite embedding, we assume that the terms are 
uniquely labeled, that is, distinct sub-terms of M have different labels and all 
the indices of the bound variables are distinct and distinct from the labels. To 
define the embedding, we first ignore the free variables (i.e. we don’t raise flags), 
defining ([— ])^. Then we raise flags for all free variables, defining ([—]). There are 
basically two versions of the embedding: a simple minded one that just creates a 
sub-derivation for every sub-term and uses a lot of instances of the repeat rule, 
and a more sophisticated one that does not create any repeat rule. We only treat 
the second one. 

Definition 3.6 (Simply typed terms ^ Flag deductions). The interpre- 
tation of a labeled simply typed X-term M as a pre- deduction, ([M])^, is defined 
as follows. 
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1. For )*])*’ distinguish cases according to the shape of M and N. Let 

B he the type of {M'-^ N'-^Y . 

(a) M and N are variables: 

xfYr = I \ B 

(b) M is a variable, N is not: 



i{xt-^N^-Yr = 



([iVb])P 

B ~^-E,i,l2 



(c) N is a variable, M is not: 



(KM^^xfYY = 



B ^-E,h,j 



(d) Neither M nor N is a variable: 






B ^-E,li,l2 



2. For ([{\xf .MY])^ distinguish cases according to whether M is a variable or 
not. Let B be the type of M. 

(a) 



{[{\xt.xfYr = ! 



A 

A^B 






(h) 



{[{Xxt.M^^YV = ■■ 

I 



A^B 



^-I,i,li 



The interpretation of a labeled simply typed X-term M as a full flag deduction, 
([Ml), is defined by adding flags for the free variables: 

If FV{M) = {xfY xf: }, then ([M]) ts 



*1 



B, 



Bn 

mf 
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Example 3.7. Compare with 3.4. We define the interpretation of two labeled A- 
terms as flag deductions. For readability, we write the type labels only in the 
A-abstractions. Consider the labeled typed A-terms 

(Axf .(Ax^((xi X2f x^Yff 

and {\xY{^X 2 -XiYY . Their interpretations are as follows. 

1 

E, 1, 2 2 ~\B 

E, 3, 2 3 B^A 2, 1 

I, 2, 4 4 A^B^A -+I, 1, 3 

I, 1, 5 

Observe that the (repeat) rule does not occur anymore in the resulting de- 
ductions. In the first case, we get the same deduction as the ‘original’ one of 
3.4. In the second deduction, we obtain a different deduction from the one of 
3.4: the (repeat) rule has been removed. So in general, it is not the case that 
([— D o |— ] is the identity: if we start from a flag deduction, map it to a A-term 
and back, we will sometimes arrive at a different flag deduction then the one 
we started from. Apart from the repeat rule, there are more interesting cases 
sources for the non-isomorphism. This will be discussed in detail in Section 4. 
The other way around, it is the case that |— ] o ([— ]) is the identity on simply 
typed A-terms. First we give the soundness theorem for the second interpretation 
of flag deductions as typed A-terms. 

Theorem 3.8 (Soundness of ([—])). If M is a labeled term of type A, then 
([M]) (following Definition 3.6) is a flag deduction with conclusion A. Moreover, 
if FV{M) = {xff,...,xfo} then the assumptions o/ ([M]) are Bi, . . . , Bn, with 
labels ii, . . . ,in, respectively. 

Proof. By induction on M. □ 

Theorem 3.9. Given a simply typed X-term M , 

|([M])1 ^ M 

Proof. By induction on M. □ 

4 The Fine Structure of Flag Deductions 

We have already pointed out that there is no isomorphism between simply typed 
terms and flag deductions, because ([— ]) o |— ], is not the identity. There are 
various origins for this non-isomorphism and we categorize them. 

Given a term M, we refer to ([MJ) as the canonical flag deduction for M. If 
A is a flag deduction, we will also call ([lAf]]) the canonical form of E, because 
it is the canonical flag deduction for |A7] . This yields the class of canonical flag 
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deductions. There is an obvious isomorphism between the typed A-terms and the 
canonical flag deductions (modulo relabeling) . We want the equivalence relation 
on flag deductions, that we alluded to before, to be defined in such a way that 
the class of canonical flag deductions forms a complete set of representatives. 
This characterizes the canonical forms from a different point of view, purely in 
terms of flag deductions. 

R: Repeat Rule In flag deductions, the (repeat) rule can be applied everywhere. 
We don’t want to distinguish two deductions that only differ in the applications 
of the (repeat) rule. The interpretation |— ] maps such deductions to the same 
A-term. 



G: Garbage (dead ends) In a flag deduction, there may be parts that do not 
contribute to the final result. We can call these parts ‘garbage’ or ‘dead ends’. 
Garbage can be detected by looking at the set of lines that the conclusion de- 
pends on (following the ‘motivations’, collecting all lines starting from the con- 
clusion); all lines that are not encountered in this way are garbage. Note that one 
can not just remove one “garbage line”, because there may be other (garbage) 
lines depending on it. (So one has to start removal with the last garbage line.) 



I: Permutation of independent steps The precise order of the deduction steps is 
somewhat arbitrary. See the following two examples. 



A 



A^B 

A^C 



B^C^D 



c 


^E, 3, 


B 


^E, 2, 


C^D 


^E, 4, 


D 


^E, 7, 


C, now given 


in line 



A 



A^C 

~C 

A^B 



.E, 2, 1 



^E, 4, 1 



B^C^D 



C- 

D 



>D 



.E, 6, 

^E, 7, 



can be located anywhere between lines 3 
and 8. Two consecutive flags can also be permuted, as long as they are not 
closed. A flag can also move over a formula, if the derivability of the formula 
does not depend on the flag. This is shown in the second deduction. We view all 
these changes in a deduction as a permutation of independent steps. 



S: Sharing of subproofs Consider the following two flag deductions 




R, 1 
^I, 3, 4 
^E, 2, 5 
^E, 6, 5 



1 B 

2 {A^B)^{A^B)^C 

3 I A 

4 A^B 

5 (A^B)^C 

6 |_^ 

7 A^B 

8 C 



^I, 3, 1 
^E, 2, 4 

^I, 6, 1 
^E, 5, 7 
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In the left deduction, the conclusion A^B is used twice (in lines 6 and 7), 
to do an ^-elimination. The subproof of A-^B (lines 3-5) is ‘shared’ by the two 
applications of ^-E on lines 6 and 7. Although the example above is obviously 
quite trivial (for reasons of exposition), this is clearly a great advantage of flag 
deductions over ordinary natural deduction (and simply typed A-terms): a result 
that has been derived in a certain context can be reused (i.e. as a source it can 
be ‘shared’ by consecutive other rules). In ordinary natural deduction, the result 
A-^B would have to be derived twice. In terms of simply typed A-calculus, this 
means that one and the same sub-term will occur several times. We illustrate 
this by computing the A-term for this flag deduction, which is 

y2{Xz^.Xi){Xz^.Xi) : C, 

where xf is the variable associated to line 1 and is the vari- 

able associated to line 2. The flag deduction associated with this A-term is the 
deduction to the right above. Observe that the subproof of A-^B has been copied 
and occurs twice in this flag deduction. Also the repeat rule has been removed. 

We now define an equivalence relation on flag deductions that equates 
flag deductions that only differ as a consequence of permutation of independent 
steps. We also deflne 3 reduction relations, — >r that removes repeat rules, — >g 
that removes garbage and — >s that unshares deductions. 

Definition 4.1. Define the equivalence relation on flag deductions as the 
reflexive, symmetric, transitive closure of the following relations. 

1. (Interchange of lines) If B then 



\ 0 : 0 

I A m V B m’ 

V B m’ I A m 

E E 

Note that, as we assume both sides of the to be well-formed flag deduc- 
tions, it must be the case that I ^ m' , and I' ^ m. 

2. (Interchange of blocks) If E $, then 



0 




m A^C 
I B 
: A 





Note that, as we assume both sides of the to be well-formed flag deduc- 
tions, it must be the case that I ^ m' , and I' ^ II. 




146 Herman Geuvers and Rob Nederpelt 



Remark 4-2 (to the Definition). Note that the well-formedness of the right hand 
side is not automatically implied by the well-formedness of the left hand side. 
We assume If yf 0, because if If = 0, then the deduction on the left of the 
may have a different conclusion from the one to the right. 

Definition 4.3. The reduction relations — >g, — >r and — >s on flag deductions 
are defined as follows. 

1. If S and I If, then 



e 



A 



n 

A^C 

S 




e 

If 



2. If S i), I ^ S and m yf then 



3. If S ^ 0, then 



I 



: 0 

I A m 
: If 



0 

If 



: 0 

I A R,m 
: If 



0 

S[l/m] 





: I 


m 




A 






m 


1 




A R, m 



0 



A 



5. If m = [R,k] or m = fci, fe], then 



: 01 
I A 
■ 02 
lo Bi 
0z 
h B2 
: If 



I 



I' 




...,l... 

h 



01 

A 

A 

02 

Bi 

03 

B 2 

If 



m 

m 

...,l... 



...,V... 
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6 . 



I 

h 

W 



©1 

n 

A-^C 

02 

03 

^2 



-I,n,v 

., 1 ... 



lo 

h 



01 

u 



1^ 




A^C 


^-I,n,p 


A 




n' 




A-^C 


^-I,n’,p 


02 




Bx 


...,l... 


03 




^2 


...,r... 


A7 





where U' is just II with fresh line numbers. 

The transitive reflexive symmetric closure of — — >r, — and will be 
denoted by —gris- 



Remark j.j. In the reduction rules, apart from lines being repeated, garbage or 
interchangeable, we also have to take into accounts blocks: parts of a proof that 
are ’guarded’ by an ^-I-rule. 

Theorem 4.5 (Preservation of equality under |— ]^ and |— ]). Let the two 

flag deductions S and 0 be given. If E ~i 0 or E — >gr 0 , then 117] = |0| . 
IfE-^s 0, then ir| = I0|. 

Proof. For every base step in the definition of — >gr or ~j, we show that |— |^ 
maps ~ flag deductions to = A-terms. Similarly for — >g. □ 



Lemma 4.6 (Closure under — — ^gi — *■«)• If E is a flag deduction and 
E — >g E' or E — >r E' or E — >g E' , then E' is a flag deduction with the 
same conclusion. 



Proof. For every reduction step of Definition 4.3, we easily verify the statement 
of the Lemma. □ 

Lemma 4.7. The reductions — >g, — and — >gr (the union of — >g and 
— >r) are strongly normalizing. 

Proof. The — >r and — >g rules return a shorter flag deduction. □ 

It can also be proved that — >gr is confluent. We will obtain this property 
only as a consequence of uniqueness of normal forms, which we will prove by 
defining the gr-normal form of a flag deduction directly (without reducing) . 
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The end goal of this section is to prove the reverse of Theorem 4.5. To do 
that we consider the — >grs normal forms, so we first have to show that these 
exist, which we do by proving that — >s terminates on — s-g^-normal forms. We 
first introduce some useful notions and state some auxiliary Lemmas. 

For I a line in S, we want to define S \ I as the flag deduction that arises 
from S by restricting to all those lines that are ‘needed’ by 1. This is the tran- 
sitive closure of the ‘refers to’ relation, where a line I refers to I' if I' is used 
in the motivation (the m) of line 1. In taking this transitive closure we skip the 
applications of the repeat rule. The set of needed lines is inductively defined as 
follows. 

Definition 4.8. Given a flag deduction S and a line (l,A,m) in S, we define 
the set of needed lines /or {l,A,m), lines e {{I, A, m)), by 

linessUhA, -)) = {/} 
linesEiif A, [i?, / q])) = linessilo) 
linessUl, A^B, [^-f ^ 1 ,^ 2 ])) = {f h} U linessih) 

linessiif B, l\, ^ 2 ])) = {^} U linessih) U linessih) 



We will usually omit the formula A and the motivation m from this notation, 
writing linessil) instead. We write S \ I for B \ linessil), the restriction of E 
to the lines that are in liness{l). 

Lemma 4.9. If E is in gr-normal form, then E \ I = E (with I the last line 
ofE). 

Proof. Obviously, I' G E \ I ^ I' G E, so we only have to prove that all lines that 
occur in E also appear in if [ Z. This is an easy consequence of the Definition of 
needed lines. □ 

Lemma 4.10. The set of ‘needed lines’ of a flag deduction is preserved under 
gr-reduction. That is, for E — >gr E' , with last lines I and f respectively, 

linessil) = linessfil')- 

Which implies immediately that E \ I = E' \ I' . 

Proof. By distinguishing cases according to the reduction step E — >gr E' . 
Corollary 4.11. For E a flag deduction with last line I, 

gr-normal form{E) = E \ 1. 

Proof. E has a gr-normal form, say E — >gr Ei — >gr . . . — >gr E„ with 
in gr-normal form. From Lemma 4.10 it follows that E \ I = ... = Ei \ f = 

. . . = En I" In where k is the last line of Ei. From Lemma 4.9, it follows that 
Fin \ In = Fn, SO if |" Z is En, the gr-normal form of E. 
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Lemma 4.12. If S in gr -normal form, then lab{S) = lab{lS}^). 

Proof. For lab(L') C labdL']^), we prove that all labels of S \ I {I the last line of 
S) occur in |L']^. (Then we are done, because, by Lemma 4.9, S \ I = S for S in 
gr-normal form.) Let I' G S \ I, i.e. I' G linesi;(/)- We now prove V G lab(|i7] ) 
by an immediate induction on linesi;(d- For the reverse, lab(|T']'^) C lab(L'), 
we prove lab(|L']'^) C lab(I7 [ 1) by induction on |L']^. 

Lemma 4.13. If S in gr -normal form, and E — >s E' , then E' is also in 
gr-normal form. 

Proof. Let E be in (/r-normal form with last line I, so I' G linesi;(d fo'' 

/' G lab(i7). In E — >s E' new lines are introduced, but they are also in lines 
as is easily checked by analyzing the two possible s-reduction steps. □ 

Lemma 4.14. If E in gr-normal form and E — E' , then fflablf^El^) < 
fflab{{Et) 

Proof. In an s-reduction step, new labels are added. Now the Lemma follows 
immediately from Lemmas 4.12 and 4.13. □ 

Corollary 4.15 (Termination of — on gr-normal forms). If E is in 

gr-normal form, then unsharing ( — >s) terminates on E. 

Proof. The number of labels in [E]^ strictly increases under — (Lemmas 4.14 
and 4.13). On the other hand, the A-term IN'] (without labels) does not change 
under — There is a maximum to the number of labels that can occur in a 
labeled version of IN'], so — terminates. □ 

We now study the t-equality on grs-normal forms. The main result is that, 
for E and O in grs-normal form, if = |6>]^, then E O. The main 

technique for establishing this result is ‘merging’ two flag deductions into one. 
The main property about merging is that, if A7 is a grs-normal form containing 
the two independent lines l\ and I 2 , then merging E \ l\ and E \ I 2 yields a 
well- formed flag-deduction E' . This only works for E in grs-normal form. 

Definition 4.16. Given the flag deduction E , with I 1 I 2 G lab{E), li and I 2 are 
A7-independent, notation IxE^h, if h ^ linessih) and I 2 ^ liness(li). We omit 
E when it is clear from the context. 

An important property of T is the following. 

Lemma 4.17. If E is in s-nf and contains the line {I, A,[-^-E,li,l 2 ]) , then 
I 1 EI 2 . 

In the following we denote by oflag(A) the set of open flags of E. 

Definition 4.18. The flag deduction E and 0 are compatible, notation 
comp{E, 0), if the following hold. 
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1. lab{S) n lab{0) C oflag{S) n oflag{0), i.e. a label that occurs in both S and 
0 must occur as an open flag in both. 

2. If i G oflag(S) n oflag{0) then it occurs as the same flag in both S and 0 
(i,e. with the same formula). 

To deflne the merging of two flag deductions S and 0, we view them as 
sequences. The goal is to prove that if both S and 0 are in ^rs-normal form, 
then the merging is a well- formed flag deduction. But this is only the case if we 
treat a part of a deduction that is ‘under a flag’ as a ‘block’ (one part of the 
sequence S), thus disallowing lines from 0 to be moved under a flag of 0. 

Definition 4.19. If comp{S,0), we define the merging of U and 0, notation 
T'||0, as the following flag deduction. 

1. First remove oflag{S) from S and oflag{0) from 0, obtaining U' , resp. 0' . 

2. Now interleave the sequences S' and 0' , starting at the end with an element 
of S' . In doing so, we consider a part {i, A, F), . . . , {I, A^B, [I, i, h]) as one 
element of the sequence. 

3. Finally, put all elements of oflag{S) U oflag{0) on top of the sequence A in 
a canonical way (following a fixed ordering of 2). 

Lemma 4.20. If comp{S,0) then S\\0 is a well-formed flag deduction. 

Lemma 4.21. If comp{S,0) and S S', then S\\0 and 0\\S 

0\\S'. 

Proposition 4.22. Given two flag deductions S and 0 in grs-normal form, if 
isf = {0f, then S 0. 

Proof. By induction on the structure of 

var = Xi. Then S and 0 are both {i,A, [F]). 

app = (M''^ N^'^y . Then S and 0 end with an ^-E rule. By induc- 

tion hypothesis, S \ li 0 \ li and S \ I 2 —i 0 \ h and so S 
((F r ;i)ii(r r i2)){i,B,[E,h,i2])c^^{{0 r hm0 \ i2)){i,B,[E,h,i2])-^0 
abs = {Xxp.A.M^'^y . Then S and 0 end with an ^-I rule. They can be 

of one of the following shapes. 



z U 



k \ B 

I A — ^B — ^I, %, k 



or 



B 
I A 
A^B 



i, k 



We distinguish cases according to whether Xi G FV(M) (and then i G 
lines(? 2 )) or Xi ^ FV(M) (and then i ^ lines(^ 2 ))- In the first case, S and 
0 must have the first shape. By induction hypothesis, S \ k —i 0 \ k- 
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Then also S \ h —i O \ h, where the last open flag is preserved and hence 
S 0. In the second case, S \ h and 0 \ I 2 do not contain i. Hence both 
S and 0 are equal to a deduction of the second shape. By induction 
hypothesis, S \ I 2 —i 0 \ h and we can safely add the line {i,A,F) at the 
end and also the line {I, A^B, [/, z, ^ 2 ])) and hence B 0. □ 

To prove the final theorem, we need to more Lemmas. They could have been 
proved before already, but were not yet needed. Therefore we state them only 
now. Both are proved by induction on the structure of E, using the fact that if I 
is the label of a line that is not a flag, then I occurs at most once in a motivation 
of r. 

Lemma 4.23. If E is a flag deduction in s -normal form, then |T']^ is a uniquely 
labelled simply typed term. (That is, every label occurs at most once in |T'] .) 

Lemma 4.24. For r a relabelling, E a flag deduction and M a labelled simply 
typed term, if {Ej^ = M , then |r(L')]'^ = r{M). 

Theorem 4.25. If IT"] = |6>], then E ~gris 0- 

Proof. Suppose lif] = |0]. Consider the grs-normal forms of E and 0: E' and 
0'. Then lEj = {E'j = |6>'l = |01. This implies that {E'f = M, |6)'] = N 
with \M\ = |iV|. Moreover (by Lemma 4.23), all labels in M and N are unique, 
so we can find a relabelling r such that r{M) is N. By Lemma 4.24, this means 
that |r(27')]^ = r(M) = N = |6>']'^. From Proposition 4.22, it now follows that 
r{E') 0' . Hence (as we work modulo relabelling), E —grs Tf 0' —grs O. 

□ 

The following follows immediately from the Theorem and Theorem 3.9. 
Corollary 4.26. Given a flag deduction E, ([127]]) ~gris E. 



4.1 Defining Cut-Elimination 

We can now define cut-elimination on flag deductions by first taking the 
normal form and then eliminating cuts as discussed in Section 2.1. 

Definition 4.27. We define cut- elimination on flag deductions as follows. 




I A^B 

: 0 

k A 

: n 

I' B 





0 

A 

E[k/1] 

n 

B 



R,n 
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k 



A 



Bo 


k 


A 


A 




Ho 


B 




B\kjk' 


A^B 


^-I k’,n : 




Bi 


V 


B 


B 


^E, 1, k 





R,n 



As usual, these reduction rules can also be applied in a context. In the defi- 
nition, we introduce repeat rules to make sure that B remains on the last line. 
These can again be removed via — steps. 



Remark 4^.28. Different from cut-elimination in Gentzen natural deduction, a 
^=^c“Step does not involve any duplication of subderivations, which may seem 
odd. However, a =^c step can introduce sharing of subproofs and the unsharing 
(via — >s) involves duplication of subderivations. This also implies that, to apply 
another cut-elimination step we first have to take the — >s-normal form of the 
result. 



An example where a =^c step creates sharing is the following. (On the right 
hand side, line I is shared by lines 4 and 6.) 
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^E, 1, I 

^E, 2, I 
^I, 5, 6 
^E, 4, 7 
R, 8 



/+! 



D 



■E, 9, I 



Lemma 4.29. If S is a well-formed flag deduction in — >s~normal form and 
B =^c B' , then B' is a well-formed flag deduction with the same conclusion. 

Proof. As all the lines (except for the flags) are referred to at most once in a 
— >s-normal form, we can safely move around the subparts (and remove some of 
them) as indicated above. 
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Theorem 4.30. For E a well- formed flag deduction in — >gs -normal form and 
for M a uniquely labelled simply typed term, 

E E 2 0 iff 1^1 [01 

M^pN iff ([M]) El E 2 m 

where the E\ and E 2 are existentially quantified. 

5 Future Work 

In this paper we restrict to the simplest fragment of logic: minimal proposition 
logic. But already there important aspects of flag deductions become visible, 
showing that in some way their structure (e.g. the order of the steps) is quite ar- 
bitrary but that in another way (e.g. the reusability of proven results, ‘sharing’), 
their structure is quite useful and interesting. The Curry-Howard interpretation 
to simply typed A calculus that we define here and the analysis of cut-elimination 
brings about this structure quite nicely. 

We believe that the results of this paper can be extended to full first or- 
der predicate logic. This will be presented in forthcoming work which is a more 
detailed exposition of the results in this paper. A more intersting aspect is the 
definition of a term calculus for flag deductions directly. Simply typed A-calculus 
ignores part of the structure of a flag deduction, extracting its ‘computational 
content’ and removing ‘bureaucratic details’. But it also removes sharing and 
we don’t consider that to be only a ‘bureaucratic detail’, but sometimes com- 
putationally relevant. It was suggested by the referees to use a A-calculus with 
let-expressions to encode flag deductions faithfully. Then the reductions — >grs 
and the congruence can be described on these terms directly, giving a more 
perspicuous presentation. The ‘sharing’ example deduction in Section 4 then is 
interpreted as 

let X5 = (Axs.let Xji = x\ inx 4 ) in (let xq = X 2 X 5 in (let xy = xqx^ inxy)) 

This gives connections with the monadic presentation of A-calculus, the (opera- 
tional) CPS-translation, the (logical) A-translation. 

Similarly, one can define a slightly different Curry-Howard embedding to 
simply typed terms and then becomes cr-equivalence on A-terms, as in the 
work of [Regnier 1994]. This gives a connection with proof nets. We will exploit 
these connections further and we thank the referees for their comments. 

We note that the other suggested interpretations do not really follow the 
inductive structure of the flag deductions. It might be interesting to And a term- 
calculus for flag deductions where the basic constructors for flag deductions are 
the same as for the term calculus. 
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Abstract. This paper presents an efficient implementation of the A- 
calculus using the graph rewriting formalism of interaction nets. Building 
upon a series of previous works, we obtain one of the most efficient 
implementations of this kind to date: out performing existing interaction 
net implementations, as well as other approaches. We conclude the paper 
with extensive testing to demonstrate the capabilities of this evaluator. 



1 Introduction 

One of the first algorithms to implement Levy’s [9] notion of optimal reduction 
for the A-calculus was presented by Lamping [7]. With the help of linear logic [4], 
this algorithm was tidied up and lead to the well-known algorithm of Gonthier, 
Abadi and Levy [5]. Empirical and theoretical studies of this algorithm have 
revealed several causes of inefficiency (accumulation of certain nodes in the graph 
rewriting formalism). Asperti et al. [1] devised BOHM (Bologna Optimal Higher- 
Order Machine) to overcome some of these issues, which has stood until now 
as not only the most efficient (in terms of rewriting steps) implementation of 
optimal reduction, but also the most efficient implementation of the A-calculus. 

Interaction nets [6] (a particular form of graph rewriting) has played a role 
in the above algorithms. However, the focus has been on optimality, rather than 
on using the interaction net framework. A parallel thread of work takes interac- 
tion nets as a focus point rather than optimality. An important reason for this 
choice is that, in addition to offering insight into issues such as sharing compu- 
tation, they provide an operational model which captures all the computation: 
in other words, counting the rewrite steps is sufficient to measure the cost of a 
computation. The key observation here is that in the previously mentioned im- 
plementations of the A-calculus, /3-reduction (not including substitution) is just 
another graph rewrite. Our aim therefore is to use a more pragmatic approach to 
optimal reduction where we aim to find the minimum number of rewrite steps (/3 
included). Historically, this notion of “practical” optimality began in [11], based 
on an interaction net encoding of linear logic due to Abramsky. Although this 
first A-evaluator based on interaction nets performed fewer interactions (rewrite 
steps) for specific A-terms than Lamping’s algorithm, it was never a match for 
BOHM. A further attempt, YALE [12], provided a substantial improvement 
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which can systematically perform better than Lamping’s algorithm, and approx- 
imate BOHM on specific classes of terms. However, when the need for optimality 
kicks in, YALE is a very poor second best. 

A question therefore remained: is there an efficient interaction net imple- 
mentation of the A-calculus which does less work than BOHM? The purpose of 
the present paper is to answer this question in the positive. Specifically, we give 
a new A-evaluator: KCLE (King’s College Lambda Evaluator) which has the 
following features: 

— It is efficient: although KCLE performs more /3-reduction steps than optimal 
reducers, the overall number of graph rewrite steps is smaller. 

~ It evaluates A-terms to full normal form, even for open terms (as a side 
effect, this offers a relatively simple notion of read-back, as normal forms are 
images of the translation function) . 

— It is an interaction net, so we can take advantage of many results and im- 
plementations, specifically parallel, where almost linear speedup has been 
achieved. We discuss other advantages of interaction nets later. 

Relation to Previous Work. The present paper is a continuation of a programme 
of research by the author to use interaction nets as an efficient mechanism for the 
encoding of the A-calculus. Specifically, it builds upon two pieces of work: [11] 
and [12]. It is also related to the work on interaction nets for Linear Logic [13]. 

Overview. The rest of this paper is structured as follows. In the next section we 
recall interaction nets, and motivate why we use them. In Section 3 we give the 
translation of the A-calculus into interaction nets. Section 4 studies the reduction 
system. In Section 5 we examine properties of the encoding. Section 6 gives 
experimental evidence of our results, where we compare with other systems. 
Finally, we conclude the paper in Section 7. 



2 Interaction Nets 



An interaction net system [6] is specified by giving a set S of symbols, and a set 
TZ of interaction rules. Each symbol a G S has an associated (fixed) arity. An 
occurrence of a symbol a G S will be called an agent. If the arity of a is n, then 
the agent has n -I- 1 ports: a distinguished one called the principal port depicted 
by an arrow, and n auxiliary ports labelled xi, . . . , a;„ corresponding to the arity 
of the symbol. Such an agent will be drawn in the following way: 

Xi Xn 




A net N built on A7 is a graph (not necessarily connected) with agents at the 
vertices. The edges of the graph connect agents together at the ports such that 
there is only one edge at every port. The ports of an agent that are not connected 
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to another agent are called the free ports of the net. There are two special 
instances of a net: a wiring (no agents) and the empty net. 

A pair of agents (a, (3) € S x S connected together on their principal ports 
is called an active pair; the interaction net analog of a redex. An interaction 
rule {{a,P) N) G TZ replaces an occurrence of the active pair {a, (3) by a 
net N. The rule must satisfy two conditions: all free ports are preserved during 
reduction (reduction is local, i.e., only the part of the net involved in the rewrite 
is modified), and there is at most one rule for each pair of agents. The following 
diagram illustrates the idea, where N is any net built from E. 




We use the notation for the one step reduction relation and for 

its transitive and reflexive closure. If a net does not contain any active pairs 
then we say that it is in normal form. One-step reduction (^=^) satisfies the 
diamond property, and thus we obtain a very strong notion of confluence. Indeed, 
all reduction sequences are permutation equivalent and standard results from 
rewriting theory tell us that all notions of termination coincide (if one reduction 
sequence terminates, then all reduction sequences terminate). 

We choose to base this work on interaction nets rather than general graph 
rewriting for several reasons. First, one perspective on interaction nets is that 
they are a user defined instruction set (assembly language) for an object lan- 
guage. We define this object language, and a compilation of a high-level language 
(in this case the A-calculus) and we directly obtain an implementation. The most 
important aspect of this instruction set, as a consequence of the definition of in- 
teraction rules, is that it expresses all the elements of a computation: there is no 
external copying or erasing machinery for instance. Interaction nets can there- 
fore be seen as offering a low-level operational semantics. For this reason it is 
one of the best formalisms for studying implementations and estimating the cost 
of evaluation. For a given implementation, each interaction is a known, constant 
time operation and therefore we are able to estimate costs easier. It is also the 
case that it is easy to identify the next rewrite rule (which is not always the case 
in traditional A-graph rewriting). 

Another reason for choosing interaction nets is that we can take advantage of 
its properties (such as strong confluence) to provide very simple and direct proofs 
of correctness of encodings. In addition to these properties, we can also take 
advantage of existing implementations, specifically parallel (see for instance [16]) 
where almost linear speedup has been demonstrated. Any system of interaction 
nets that is written can therefore be executed on parallel hardware: no explicit 
processor allocation is required. 

The final reason is that interaction nets capture sharing in a very natural 
way — indeed, one has to work quite hard to duplicate work. They are there- 
fore a natural fit when studying efficient implementations of any programming 
language, and especially the A-calculus. 
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3 Translation 

In this section we give a translation T(-) of the A-calculus into interaction nets. 
The agents required for the translation will be introduced when needed, and 
the interaction rules for these agents will be given in the following section. We 
remark that the translation given here is very similar to that used by YALE [12], 
with an essential difference that we identify closed abstractions in the translation 
(the rewrite rules of the next section are quite different however). 

A A-term t with fv(f) = {x\, . . . ,a;„} will be translated as a net T(t) with 
the root edge at the top, and n free edges corresponding to the free variables: 




Xi Xn 



The labelling of free edges is just for the translation (and convenience), and is 
not part of the system. The first case of the translation function is when t is a 
variable, say x, then T (t) is translated into an edge: 



X 

Abstraction. If t is an abstraction, say Xx.t' , then we first require that x G fv(t')- 
If this condition is not satisfied, then we can add the following agent to the 
translation of the body: 

9 

X Xji 

Having assured this condition, there are two alternative translations of the ab- 
straction, which are both given in the following diagram: 



Xi Xn 

The first case, shown on the left in the above diagram, is when fv(Aa;.t') = 0. 
Here we use one agent Ac to represent a closed abstraction. This net corresponds 
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closely to usual graph representations of the A-calculus (for instance [15]), except 
that we explicitly connect the occurrence of the variable to the binding A. 

The second case, shown on the right, is when fv(Aa:.t') = {xi, . . . , x„}. Here 
we introduce three different kinds of agent: A of arity 3, for abstraction, and two 
kinds of agent representing a list of free variables. An agent b is used for each 
free variable, and we end the list with an agent v. The idea is that there is a 
pointer to the free variables of an abstraction; the body of the abstraction is 
encapsulated in a box structure. We assume, without loss of generality, that the 
(unique) occurrence of the variable x is in the leftmost position of T (t') . 

We remark that a closed term will never become open during reduction (al- 
though of course terms may become closed, and indeed there are interaction 
rules which will create a Ac agent from a A agent when needed). The use of the 
Ac agent identifies the case where there are no free variables, and plays a crucial 
role in the efficient dynamics of this system. 

Application. If t is an application, say uv, then T{uv) is given by the follow- 
ing net, where we have introduced an agent @ of arity 2 corresponding to an 
application. In addition, if u and v share common free variables, then c agents 
(representing copy) collect these together pairwise so that a single occurrence of 
each free variable occurs amongst the free edges. 




That completes the cases for the translation, which is the same whether we 
talk about typed or untyped terms. For typed terms, it is convenient to have a 
constant at base type, say * : I, which can be thought of as similar to an integer 
for instance. For * we can choose to represent this as the A-term Xx.x, and thus 
we do not need to add anything to the translation nor to the interaction rules 
of the next section. 

We state one important static result about this translation, which is a direct 
consequence of the fact that no active pairs are created for the translation of 
normal forms. 

Lemma 1. If t is a X-term in normal form, then T(t) is a net in normal form. 

Example 1. In Figure I we give three example nets corresponding to the term 
2' = Xxy .{Xz .{z{zy))){Xw .xw) , K = Xxy.x, and 2 = Xfx.f(fx), which give a 
flavour of the kinds of structures that we are dealing with. 
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Fig. 1. Example nets 



4 Reduction 

In this section we give the heart of the work by defining the interaction rules for 
the evaluator. We back these rules up with some intuitions, and in the following 
section we state several properties of the rewrite system. 

We begin by giving, in Figure 2, the interaction rules for KCLE. When 
talking about these, we shall use the notation a t<i /? to identify the rule where 
the agents a and l3 make up the left-hand side. The final two rules in the figure 
(5 ixi a, and e ixi a) are rule schemes, and correspond to the general pattern 




Efficient A-Evaluation with Interaction Nets 



161 




Fig. 2. KCLE Interaction Rnles 



of rule for these agents, where a can be any of the agents. Where necessary, to 
avoid ambiguity, we have labelled the free edges of the left and right-hand sides 
of the rules. 

Intuitions. Here we give some insight into the reduction process. The first two 
rules Ac c<i @ and A ixi @ are performing /3-reduction, (Xx.t)u t[u/x], where 
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t[u/x\ is some form of explicit substitution. In both cases, the root of the term 
is connected to the body of the abstraction, and the variable edge is connected 
to the argument. In the second case a d agent is introduced which tries to erase 
the list of free variables. The only interaction rule for d here is with v, in which 
case they eliminate each other, as shown by the third rule. 

The next two rules are concerned with the process of substituting one ab- 
straction inside another: {Xx.t)[u/y] Xx.t[u/y]. 

1. Ac ixi & corresponds to the case when u is a closed abstraction. This single 
interaction allows the substitution to be made, and removes one occurrence 
of b from the list of free variables of the abstracted term. 

2. A ixi & corresponds to the case when the term u is not closed. We do not block 
this operation, but the substitution process may not complete (specifically, 
the net under the abstraction is moved inside the other abstraction, but the 
free variable list remains unsubstituted). If, by other reductions, the term 
becomes closed, then it will indeed complete. The agent 6b is used to wait to 
interact with a v agent, in which case the substitution process is completed. 
The example below indicates what is going on here. 

The next two rules concern the copy agent c, which can initiate the dupli- 
cation of a closed abstraction. This is achieved by introducing 6 agents inside 
the body of the abstraction for Ac. However, if the abstraction is not closed, 
then the progress is blocked: this is the purpose of the At, agent. If the term 
becomes closed during reduction, then w ixi At, will produce a Ac agent in which 
case copying can progress. 

The rules for <5 concern the duplication of a net. The first one shows 5 cxi (5 
which cancel each other, indicating that duplication is complete. Otherwise, a 
6 agent copies everything which is indicated by the rule scheme: a can be any 
agent of the system. The final rule scheme concerns erasing (garbage collection). 
The e agent simply erases everything it interacts with, and propagates. 

Example Reduction. Figure 3 gives several snapshots of reduction, with the aim 
of illustrating some of the intuitions given above. Starting from the example 
term 2 ' = Xxy .{Xz .{z{zy))){Xw .xw) , given in Figure 1, we perform the A cxi @ 
and c ixi A interactions to obtain the first net. Here we see that a At, agent has 
been created to block the copying of the (open) abstraction. We also identify 
where the d agent has been introduced creates “junk” in the net: the sub-net 
consisting of d, b and v could all be eliminated, but cannot be erased due to the 
configuration of principal ports. This net is now in normal form. 

However, if we construct the application of 2 '/, then a number of further 
reductions are possible. After the Ac c<i @ rule, we have the net for the identity 
connected to the lowest b agent. Using Ac cxi 6 twice allows this substitution 
to be made. In the process, we create a A;, cxi r; interaction which converts A& 
into Ac. The redex created by the substitution can be contracted, and copied 
giving us the second net in the figure. Four further interactions give the last 
net in the figure. If we apply this to a further I, then we get the translation of 
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Fig. 3. Example reduction sequence (snapshots) 



/ as the final net after 4 interactions. The point here is that junk is removed 
during reduction; computation can complete to a recognisable term if enough 
arguments are provided. 

5 Properties 

As we have seen in Figure 3, reduction is weak: a net in normal form does not 
necessarily correspond to the translation of a A-term in normal form. However, we 
define an extension to the system, called the normal form extension, which allow 
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us to simulate full reduction in the A-calculus. We then show that this extension 
does nothing if the term is already in normal form. All proofs are inductive, and 
use the interaction rules from the previous section. A key component in all the 
proofs is the confluence of interaction nets: we only need to show that there exists 
a specific reduction sequence of interactions, then we obtain the same result for 
any permutation of this sequence. We begin by defining this extension. 

Normal Form Extension. We extend KCLE with additional agents and rules 
which will serve for two purposes. First, they provide us with an operational 
read-back procedure. Additional agents can be connected to all free edges of a 
net, which will allow the net to be reduced to the representation of the normal 
form of a translated term. Second, they can also be part of the system: whenever 
we need to force reduction to normal form (for efficiency reasons for instance), 
then we can introduce agents from this extension of the basic system. Since these 
interaction rules are to some extent less important than the previous ones we 
relegate them to the appendix. There are four agents of arity 1, 

one agent of arity 2, and two agents \u,cb of arity 3. The interaction rules 
for these are given in Appendix A. 

Next we define a general net construction, which is needed for the correctness 
result. 

Definition 1 (Enclosure). For any net N, we define £a{N), the a-enclosure 
of the net N as: 




In words, all the free edges are connected to a agents. The diagram shows the 
case for ar(a) = 1, but any arity is possible. 

Definition 2 (Normal Form Enclosure). Define T^ift) of a X-term t as 
£<j>z{£<j>i{^ 4 >i{T'{t)))) which we call the normal form enclosure of a term t. 

Lemma 2. For any X-term t in normal-form there is a terminating reduction 
sequence: %if{t) T(t) (i.e., the normal form extension has the global effect 
of doing nothing with X-normal-forms) . 

We can now state the main results of this section. 

Theorem 1. Let t he a Xl-term (i.e., a net built without the e agent). 
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1. If t t' (f a j3-normal-form) then there exists a terminating sequence 

of interactions: %ii{t) T'{t'). If t does not have a normal form, then 

neither does %,i{t). 

2. If t is a closed simply typable term of base type, then there is a terminating 
sequence of interactions: T{f) ★ (j.e., using only the rules in Figure 2). 

Remark 1. In the above theorem we can relax the condition of t being a A/-term 
if we do not evaluate disconnected nets. Such a strategy for interaction nets does 
indeed exist [3], and evaluators have been built that implement this strategy, see 
for instance [17]. In this extended abstract we simplify matters by simply stating 
the results for the A/-calculus. Also note that the first part of the theorem above 
does not require that the term t is closed, thus applies equally to open terms. 

Proof. (Sketch.) The first part requires meticulous use of the normal form exten- 
sion to show that a particular reduction sequence in the A-calculus is simulated. 

The second is less complex, and we give some additional details here. The 
key to the proof is a substitution lemma: it is well-known that for closed terms 
of ground type that during reduction there is always a closed substitution being 
propagated [3]. Now using this property, we can simulate substitutions. The only 
additional property that we require is that the encapsulation Ss{N) duplicates 
a net N, when iV is a net in normal form. 



6 Testing 

There are a number of standard benchmark results that are used to test the 
performance of these kinds of evaluators. We base ours on those used to demon- 
strate BOHM [2], which is the system that we use as the basis of the comparison. 
These terms generate vast computations, and in particular include terms where 
sharing plays a significant role for the evaluation. Table 1 shows some evaluations 
of Church numerals. Results of the form 8(4) should be read as 8 interactions, 
of which 4 were A ixi @ (thus giving a count of the number of /3-reductions per- 
formed) . The number of /3-reduction steps performed is only given for curiosity: 
it is the number of interactions which gives a measure of actual work. To give 
some indication as to what some of these numbers mean, 2 2 2 2 2 // evaluates 
in around 5 seconds using KCLE, whereas BOHM takes approximately 10 min- 
utes. Implementations of functional languages, such as Haskell, OCaml, SML, 
etc. are well known to not be able to cope with such terms, and indeed fail on 
this input. The next table below gives the computation of factorial using only 
the pure A-calculus (using the encoding given in [2]). 



Term 


KCLE 


BOHM 


Fact 2 II 
Fact 3 II 
Fact 4 II 
Fact 5 II 
Fact 10 II 
Fact 20 II 
Fact 30 II 


292(41) 

521(55) 

813(70) 

1180(86) 

4560(181) 

23845(446) 

69830(811) 


212(41) 

373(54) 

594(68) 

903(83) 

5168(173) 

53498(428) 

241978(783) 
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Table 1. Benchmark: Church numerals 



Term 


KCLE 


BOHM 


2 II 


8(4) 


12(4) 


22 11 


32(9) 


40(9) 


2 2 2 II 


88(18) 


93(16) 


2 2 2 2 II 


328(51) 


356(27) 


2 2 2 2 2 II 


983392(131124) 


1074037060(61) 


3 2 11 


52(12) 


47(12) 


4 2 11 


72(15) 


63(15) 


5 2 11 


92(18) 


79(18) 


10 2 II 


192(33) 


159(33) 


15 2 II 


292(48) 


239(48) 


3 2 2 II 


170(29) 


157(21) 


4 2 2 II 


312(48) 


330(26) 


5 2 21 1 


574(83) 


847(31) 


10 2 2 // 


15564(2082) 


531672(56) 


15 2 2 // 


491834(65585) 


537100609(81) 


17 2 2 // 


1966438(262199) 


- 


3 2 2 2 II 


4018(542) 


34740(40) 


4 2 2 2 II 


983376(131121) 


1074037034(60) 


2 2 2 10 // 


1072(179) 


10307(67) 


2 2 2 20 II 


2002(339) 


23812(92) 


2 2 2 30 // 


2932(499) 


97927(167) 


2 2 2 2 10 // 


4129096(655412) 


1073933204(162) 


2 2 2 2 20 II 


8061226(1310772) 


- 


2 2 2 2 30 // 


11993356(1966132)1 


- 



The last two tables below show: a term {Xz.{Xx.zxxx){Xy.2{Xx.y{xI))n))II, 
where n is a Church numeral that we vary, and using terms taken from [2]: 
n2'2'II, where 2' = Xxy .{Xz .{z{zy))){Xw .xw) (cf. Figure 1). 



n 


KCLE 


BOHM 




Term 


KCLE 


BOHM 


2 


178(38) 


149(22) 




1 2'2'II 


102(17) 


41(11) 


3 


199(40) 


185(26) 




2 2'2'II 


154(24) 


90(14) 


4 


220(44) 


230(30) 




3 2'2'II 


236(35) 


172(17) 


5 


241(48) 


275(34) 




4 2'2'II 


378(54) 


379(20) 


10 


346(68) 


500(54) 




5 2'2'II 


640(89) 


1016(23) 


20 


556(108) 


950(94) 




10 2'2'II 


15630(2088) 


664501(38) 


30 


766(148) 


1400(134) 




15 2'2'II 


491900(65591) 


671375626(53) 



A brief analysis of these tables (and other data accumulated) show a general 
pattern from which two key observations can be made: 

1. As the terms become larger: BOHM improves with respect to the number of 
/3-interactions, but KCLE becomes better with respect to the total number 
of interactions (i.e., total cost of evaluation). 

2. For Church numeral calculations, the ratio of the total number of interactions 
to /3-interactions is almost constant, indicating that the cost of implementing 
a /3-reduction step is around 7 interactions — a very small overhead for these 
values. 
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The comparisons given here only touch on the testing done, and in particular 
we do not include results for other systems of interaction nets, or related systems 
of rewriting (see for instance [8, 10, 12, 14]). We hope to provide a more complete 
comparison at some future occasion. 

7 Conclusions 

In this paper we have demonstrated that there are still new and exciting ways 
to implement the A-calculus. As our experimental results have confirmed, these 
can be greatly more efficient than extant systems, even asymptotically better. 

Our evaluator is capable of producing full normal forms of typed or untyped 
A-terms (either closed or open) . This therefore opens up additional applications, 
such as the use in proof assistants, where normal forms of such terms are required. 

As we have mentioned, the additional agents and rules which form the nor- 
mal form extension can also be used in the compilation. This may achieve better 
performance when an argument would benefit from being a normal form before 
copying for instance. For the moment this is done in an ad-hoc way, and we an- 
ticipate that there should be a more systematic approach to this from analysing 
the term during compilation. 
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A Computing Normal Forms 

In this appendix we give the rules for the additional agents that are needed to 
obtain full normal forms. Since there are many, we adopt the textual notation 
for rules [6] , which are in the table below. There are four agents 4>i, 4>2, (j) 3 , 4>\ of 
arity 1, one agent of arity 2, and two agents A„, c6 of arity 3. Variables in this 
notation are bold and underlined to distinguish them from the names of agents. 

Table 2 . Agents used to compute normal forms 



<()i(a) CXI ())i(a) <()i(u)cxiu 
<('i(Ac(a,b)) CXI Ac(<('i(a), 0i(b)) 

<('i(@(a, b)) CXI @(<('i(a), <()i(b)) 

^i(A(a,b,c)) CXI A(<(-i(a), 0 i(y,<(-i(c)) 

<()i(a) CXI 5(<('A(cfe(b,c, <()i(a))),b,c) 

4>\{d) CXI d 

f>\( 3 b(a,b,c)) IX Sb((/)},(a),(f),(h),c) 
c(A„(a,b, c), A„(d,e,f)) cxi A„(< 5 (a, d), J(b, e), C(c, f)) 
c(cfe(a,b,c), c 6 (d,e, f)) cxi c 6 (J(a, d), ( 7 (b, e), ( 7 (c, f)) 

Sb(cb(d, e, c) , cb{h, f , d) , a) cxi c 6 (b, Sb{e, f , a) , c) 

cb(a, d, a) CXI d Au(a, b, d) cxi @(a, ^ 



(fi{e) CXI e 

<()i(d(a,b)) CXI <5(<(ii(a),<()i(b)) 
<('i(c(a,y) CXI c{(l>i{a),cf)i{h)) 
cf)i {c) CXI cb{ct)i{a), 01 (b), 0i(5(c,a,b))) 
01 (a) CXI 0A(0i(a)) 

0a(c) cxi A(,(A„(a, b, c),a,y 
c{v, u) CXI u 



02(a) CXI 02(a) 

02^) CXI @(02(@'(b,a)),02(b)) 
02(c(a,y) CXI c(02(a),02(b)) 

02 (c) CXI A(02 (a) , 02 (b) , A(, (c, a, b) ) 

(c(a, b) , c(c, d) ) CXI c(@' (a, c) , (b, d) ) 



02(e) cx e 

02(Ac(a,b)) cx Ac (02 (a), 02(b)) 

02 (b(a, b, c) ) cx fo(a, 02 (b) , c) 

@^(^(a)b, c), 5 (d, e, a)) cx b{d, @'(b,e), c) 



03(a) cx 03 (a) 03 (u) cx v 

03(Ac(a,b)) cx Ac(03(a),0s(b)) 
03(A(a,b,c)) cx A(03(a),0s(y,c) 
03(a) cx @'(03(b),0s(@(a,y)) 



03(e) cx e 

03(c(a,y) cx c(0s(a),03(y) 

03 (&(a, b, c) ) cx b(03 (a) , 0s (b) , 0s (c) ) 
03(c) cx A6(A(a,b, c), a,b) 
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We will not enter into the details of any of these rules, except to remark that 
there are three kinds of 4 > agents. </>i is the main one, which allows the main 
reduction steps to proceed. </>2 allows certain substitutions to complete, and </>3 
cleans up the representation to that it corresponds to the translation of a A-term. 
(f)i can be used as part of the reduction system, but the other two should only be 
used for the read-back procedure. All the remaining rules are simply completing 
the system. 
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Abstract. We present a general translation of term rewrite systems 
(TRS) to logic programs such that basic rewriting derivations become 
logic deductions. Certain TRS result in so-called cs-programs, which 
were originally studied in the context of constraint systems and tree 
tuple languages. By applying decidability and computability results of 
cs-programs we obtain new classes of TRS that have nice properties like 
decidability of unification, regular sets of descendants or finite represen- 
tations of R-unifiers. Our findings generalize former results in the field 
of term rewriting. 



1 Introduction 

Term rewrite systems (TRS) are fundamental to fields like theorem proving, 
system verification, or functional-logic programming. Applications there require 
decision procedures e.g. for i?-unifiability (for terms t and t' , is there a substitu- 
tion cr such that ta or for reachability (is term t' reachable from 

term t by a rewriting derivation?). Most desired properties depend on the ability 
to compute R*{E) (the set of terms reachable from elements in E) by means of 
tree languages which have a decidable emptiness test and are closed under inter- 
section. Authors like [3, 11, 10] studied classes of TRS which effectively preserve 
recognizability, i.e. R*{E) is regular if E is regular. 

Recognizability is usually preserved by encoding TRS derivations as tree au- 
tomata and by exploiting the properties of the class of TRS under consideration. 
Another method encodes first the rewriting relation by means of tree tuple lan- 
guages [4, 8], i.e. it computes a tree tuple language { {t, and then 

obtains recognizability by projection. 

This paper applies the second method using a restricted class of logic pro- 
grams to handle tree tuple languages. We first define a translation of rewrite 
systems to logic programs that maps a restricted form of rewriting, called ba- 
sic rewriting, to deductions. It preserves essential structural properties such that 
classes of TRS correspond naturally to certain classes of logic programs, allowing 
to transfer results between the two formalisms. 

We restrict our attention to basic rewriting, i.e., to rewriting that never mod- 
ifies parts of terms considered as data. This fits the logic programming paradigm 
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where there is a clear distinction between data (function symbols) and opera- 
tions on them (predicate symbols). This allows to obtain logic programs that 
preserve the structure of rewrite systems well. Note that basic rewriting coin- 
cides with rewriting for large classes of term rewrite systems such as right-linear 
ones. Right-linearity is required for most classes that preserve recognizability. 

The classes of TRS we study in this paper are defined via the notion of 
possible redexes (i.e. parts of terms that may be rewritten). This notion general- 
izes constructor-based TRS where some symbols, called constructors, cannot be 
rewritten. The required properties are right-linearity and no nesting of possible 
redexes. The two classes differ in the form of possible redexes in the right-hand- 
sides. The first class, called quasi-cs TRS, requires that the depth of a variable 
under a possible redex is less than or equal to the depth in the right-hand-side. 
The second one, called instance-based TRS, requires that possible redexes are 
less instantiated than left-hand-sides. Instance-based TRS extend the class of 
TRS described in [4] and [10], and quasi-cs TRS is a new class not studied be- 
fore. As in [10] we require that each term of the input language E contains a 
bounded number of basic positions. Instance-based TRS extend also the class of 
layered transducing TRS of [1 1] . The resulting logic program has the additional 
property that the projection to the last argument of each predicate is a regu- 
lar language. This implies that recognizability for the basic rewriting relation is 
preserved. 

The main interest of the framework presented in this paper compared to pre- 
vious work is the replacement of very technical ad-hoc encodings of rewriting 
relations as tree automata by a very general translation to a high-level language 
like logic programming. The preservation of recognizability then reduces to a ter- 
mination proof of the algorithm presented in [5] that transforms logic programs 
to so-called cs-programs. 

Section 2 recalls some basic definitions of TRS, Section 3 describes cs-pro- 
grams and their properties, and Section 4 presents the translation of basic rewrit- 
ing to logic programming. Section 5 uses this translation to define two classes of 
TRS that preserve recognizability. The last section gives an outlook on future 
work. Due to space restrictions not all proofs are included in the paper; they can 
be found in [6]. 

2 Preliminaries 

We recall some basic notions and notations concerning term rewrite systems; for 
details see [1]. 

Let A be a finite set of symbols with arity, Var be an infinite set of variables, 
and T(A, Var) be the first-order term algebra over E and Var. E consists of two 
disjoint subsets: the set T of defined function symbols (or function symbols), and 
the set C of constructor symbols. The terms of T(C, Var) are called data-terms. 
A term is linear if no variable occurs more than once in it. 

For a term t, Pos{t) denotes the set of positions in t, |t| = |Pos(t)| the size 
of t, and t\u the subterm of t at position u. The term t[rt^s] is obtained from t by 
replacing the subterm at position m by s. Var(t) is the set of variables occurring 
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in t. The set SPos{t) C Pos{t) denotes the set of non-variable positions, i.e., 
t\u ^ Var for u G SPos{t) and t|„ G Var for u G Pos{t)\SPos{t). A substitution 
is a mapping from Var to Var), which extends trivially to a mapping from 

T(A, Var) to T(A, Var). The domain of a substitution a, Dom{a), is the set 
{x G Var \ xa ^ < j }. For V C Var, ct|v denotes the restriction of a to the 
variables in V, i.e., xcrjv = xa for x G V and xa\v = x otherwise. If term t is 
an instance of term s, i.e. t = sa, we say that t matches s and s subsumes t. 

Let CVar = { | i > 1 } be the set of context variables distinct from Var, 

where a context is a term in T{S, VarU CVar) such that the occurrence of a 
context variable counted from left to right is labelled by Di (also denoted □) 
is called the trivial context. A context is called n-context if it contains n context 
variables. For an n-context C, the expression C\ti,...,tn] denotes the term 

A term rewrite system (TRS) is a finite set of oriented equations called rewrite 
rules. Lhs and rhs are shorthand for the left-hand and right-hand side of a rule, 
respectively. For a TRS R, the rewrite relation is denoted by and is defined 
by t —ffi s if there exists a rule I r in R, a, non-variable position u in t, and 
a substitution cr, such that = la and s = t[u^ra]. Such a step is written as 
t —*■[„, s. If a term t cannot be reduced by any rewriting rule, it is said to 
be irreducible. The reflexive-transitive closure of is denoted by —>^*r, and the 
symmetric closure of by =r. The relation denotes n steps of the rewrite 
relation. By t Ir s we denote the derivation t s such that s is irreducible. 
For a set of terms, E, we define R*{E) = {t I t'^*Rt for some t' G E} and 
R^{E) = {t I t' IrI for some t' G E"\. If the lhs (rhs) of every rule is linear 
the TRS is said to be left-(right-)linear. If it is both left- and right-linear the 
TRS is called linear. A TRS is constructor based if every rule is of the form 
f{ti, . . . ,tn) ^ r where all ti’s are data-terms. 

3 Cs-Programs 



We use techniques from logic programming to deal with certain types of rewrit- 
ing relations. Term rewrite systems are transformed to logic programs preserving 
their characteristic properties. The programs are manipulated by standard fold- 
ing/unfolding techniques to obtain certain normal forms like cs-programs. Re- 
sults about the latter lead directly to conclusions about rewrite systems. There- 
fore this section presents some results about logic programs. While some notions 
and theorems are just quoted from [5] (and in fact appear in a similar form al- 
ready in [9]), other results are new. We presuppose basic knowledge about logic 
programming (see e.g. [7]). 

Definition 1. A program clause is a cs-clause if its body is linear and contains 
no function symbols, i.e., if all arguments of the body atoms are variables occur- 
ring nowhere else in the body. A cs-clause is linear if the head atom is linear. A 
logic program is a (linear) cs-program iff all its clauses are (linear) cs-clauses. 
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Every logic program V can be transformed to an equivalent cs-program by 
applying two rules, unfolding and definition introduction^. The rules transform 
states (7^, T’new, 2 ^done, Cnew 7 Cout) where I?new are definitions not yet unfolded, 
Pdone are definitions already processed but still used for simplifying clauses, 
Cnew are clauses generated from definitions by unfolding, and Cout is the cs- 
program generated so far. Syntactically, definitions are written as clauses, but 
from the semantic point of view they are equivalences. We require the head of 
a definition to contain all variables occurring in the body^. A set of definitions, 
V, is compatible with V, if all predicate symbols occurring in the heads of the 
definitions occur just there and nowhere else in T> and V] the only exception 
are tautological definitions of the form P(x)-^P{x) where P may occur without 
restrictions throughout V and V. The predicate symbols in the heads of V are 
called the predicates defined by V. 

We write S' S" if S' is a state obtained from state S by applying one of the 
rules unfolding or definition introduction defined below. The reflexive and tran- 
sitive closure of is denoted by =^. An initial state is of the form {V, T>, 0, 0, 0) 
where V is compatible with V. A final state is of the form (7^, 0, T>', 0, V). V and 
V are called the input of a derivation, V its output. A derivation is complete if 
its last state is final. 

Unfolding. Pick a definition not yet processed, select one or more of its body 
atoms according to some selection rule, and unfold them with all matching 
clauses from the input program. Formally: 

(7^, 7?new U {L <— TZ'S{Ai, . . . , Afc}}, 'Ddonei Cnevn Cout) 

{U ) T 7 „ew 7 7?done U {L <— PXj{Ai, . . . , Afc}}, C new 17 C 7 Cout) 

where C is the set of all clauses L ^ (7^ U ,81 U • • • U Bkfti such that Hi Bi 
is a clause in V for i = 1, . . . ,k, and such that the simultaneous most general 
unifier p, of (Ai, . . . , Ak) and {Hi , . . . , Hk) exists. Note that the clauses from V 
have to be renamed properly such that they share variables neither with each 
other nor with L ^ TZU {Ai , . . . , Ak}. 

Definition Introduction. Pick a clause not yet processed, decompose its body 
into minimal variable-disjoint components, and replace every component that is 
not yet a single linear atom without function symbols by an atom that is either 
looked up in the set of old definitions, or if this fails is built of a new predicate 
symbol and the component variables. For every failed lookup introduce a new 
definition associating the new predicate symbol with the replaced component. 



^ Our version of definition introduction is a combination of definition introduction and 
folding in the traditional sense of e.g. [13]. 

^ We could get rid of the restriction by introducing the notion of linking variables like 
in [9]. Since the restriction is always satished in our context we avoid this complica- 
tion. 
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Formally: 

^new) ^done? ^new U {iJ ^ BiU ■ ■ ■ UBk}, Cout) 

^new U '^1 ^donej ^new? ^out 

where B\,. . . ,Bk is a maximal decomposition of ,81 U • • • U ,Bfc into non-empty 
variable-disjoint subsets, 

\ Lf]~^ if L^BiTj G 2?done for some var. renaming 77 

* \ Pi{xi, . . . , Xn) otherwise, {xi, . . . ,Xn\ being the vars. of Bi. 

for 1 < i < A: and new predicate symbols Pi, and where T> is the set of all Li^Bi 
such that Li contains a new predicate symbol^. 

Theorem 1. Let V he a logie program and V he a set of definitions eompatihle 
with V. If {V,T>, %,%,%) ^ {V ,%,T>' ,%,V') , then V' is a cs-program whose least 
Herhrand model semantics coincides with the one of V for all predicates defined 
hy V. 

In the following we discuss properties of logic programs that can be trans- 
formed to finite cs-programs. 

Definition 2. A clause is quasi-cs, if the body is linear and for every variable 
that occurs both in the body and the head, the depth of its occurrence in the body 
is smaller than or equal to the depth of all occurrences in the head. A program 
is quasi-cs if all its clauses are. 

Theorem 2. Let V he a quasi-cs program, and let V-p be the set of all tautologies 
P{x)^P{x) such that P occurs in V. Every ^-derivation with input V and Vp 
is finite. 

Another, new class of programs that also have finite cs-counterparts are 
instance-based programs. 

Definition 3. A clause H ^ B of a logic program V is instance-based (is an 
ib-clause) if B is linear and for every pair of atoms H',A where H' is the head 
of a clause of V properly renamed and A is an atom in B such that H' and A 
unify, H' is an instance of A. A program is instance-based (is an ib-program) if 
it consists of ib-clauses. 

Theorem 3. Let V be an ib-program, and let Vp he the set of all tautologies 
P{x)^P{x) such that P occurs in V. Every ^-derivation with input V and Vp 
is finite. 

Proof. We show that for ib-clauses all definitions occurring in a derivation are of 
the form L ^ A, where A is a single linear atom which subsumes any head clause 
it unifies with. This implies that only finitely many definitions are generated up 

® A substitution 77 is a variable renaming for a set of atoms TZ, if there exists a sub- 
stitution such that TZgg~^ = TZ. 
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to variable renaming, i.e., complete derivations are finite. Note that the initial 
definitions in V-p are of this particular form. 

Let H ^ Bhe & ib-clause of V, and let ji = mgu(A, H) be the most general 
unifier involved in unfolding a definition L ^ A. We may divide /i into two parts, 
HA and hh, such that Ah a = Hhh- Since A is linear, xhh is a linear term for 
all X, and the variables in xhh do not occur in B (definitions and clauses are 
renamed apart prior to unfolding). Therefore Bhh, the body of the new clause 
{L ^ B)h = Lha ^ Bhh, consists of linear atoms not sharing any variables 
with each other. Hence a maximal decomposition of B consists of singletons only. 

It remains to show that each atom of B and therefore of the new definitions 
subsumes all the head clauses it unifies with. A subsumes H therefore Hh = H 
which means that Bh = B and therefore atoms of B satisfies ib property, so it 
subsumes all the head clauses it unifies with. □ 

A logic program is called monadic if it contains only unary predicate symbols. 
A unary predicate is monadic if it is defined by a monadic program. 

Lemma 1. The set of ground terms S is a regular tree language iff there exists 
a linear monadic cs-predicate P such that P{t) is true for all terms t in S. 

Definition 4. Let P be a predicate defined by a program V . The argument 
of P is said to be free iff for every horn clause P{t \, . . . ,<„) ^ Ai, . . . , A^. ofV, 
ti is linear, \/x € Varflf), x appears once in the head and once in the body and 
Vj G 1, k, either Var(ti) n Var(Aj) = % or Varfti) n Var{Aj) is a single variable 
which occurs in a free argument of Aj . 

Lemma 2. Let P be a predicate which argument is free, of a cs-program V. 
The set {t \ V \= P{t \, . . . , ti-\,t, ti+i, . . . , tn) } is defined by the set of clauses 
constructed as follows: 

— Co = {}, Po = {P'} 

— Ci = {Q'(s) ^ {i?'(s')|<5' G Vi-i,Q{. . . , s, . . .) ^ B € V and B has at least 
one model, R{. . . ,s' ,. . .) € B and Var{s) n Var{s') yf 0}, 

Vi = {Q' occurring in a body of a clause of C\}\ Uy<i Pj} 

Proof. It is obvious that if 7^ |= P{ti , . . . , U-i,t, U+i, . . . ,tn) then V |= P'{f). 
Now, let us prove that if V |= P'{t) then there is some such that 

V 1= Pfti , . . . , ti-i,t, ti+i, . . . ,tn). It is done by induction on the height of the 
proof tree. 

— h = 0 obvious by construction 

— h > 0 Let P'{s) ^ B' be the top clause of the proof tree P{. . . ,s, . . .) ^ B 
the corresponding clause of V and cr = mgu(t, s). By construction, we have 

V \= Bh, this means that VQ(t) s.t. Var{Q{t)) n Var{s) = 0, we have 

V 1= Q{t)H- VQ'(s')ct G B'a, V \= Q'{s')u. Since s appears at a free po- 
sition of P, s' occurs at a free position of Q, so by induction hypothesis 

V 1= Q{. . . ,s',. . .)a' with s'a' = s'a. Since all atoms of B are variable dis- 
joint, the substitution ^' = ct' l±l Hlix^Domia')} is such that Q {. . . , s', . . .)/i' = 
Q {. . . , s', . . .)ct' if Q'(s') G B' and Q{t)H' = if Var{Qff)) fl Varft) = 0. 
So 7^ ^ Bh' this implies V [= P(. . . , s, . . .)h' where sff = t. 
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In the following, Reg{V) denotes the set of clauses constructed in Lemma 2. 

Definition 5. Let V be a cs-program. A clause P{x) ^ P'{^) ^ Preg is called a 
regular join definition compatible with V if 

— P{x) is linear and x C Var{P'{i)) U Var{Breg) 

— P'i^ is linear 

— the elements of Breg <ixe linear monadic predicates. 

P'{i) is called the key atom. If all atoms of Breg are of depth 0 the definition is 
said to be a flat regular join definition. 

The strategy which chooses atoms of maximal depth terminates but does not 
preserve freeness of arguments. For example, consider the clause 

A{s{c{x, yi)),s{c{x, j/2)), c(x3, ys)) ^ A{x, yi,xs), B{y2, ys) 
where the last arguments of A and B are free. When unfolding the regular 
join definition P{zi,Z2,zs) <— A{s{zi) , s{z2) , z^) , C {z\) , C {Z2) where C is linear 
monadic, we get 

P{c{x, yi), c(x, y2), c(x3, ys)) ^ A{x, yi, X3), B(y2, ys), C'(c(x, yi)), C(c(x, y2)). 
The body of this clause cannot be decomposed, so the new clause in Cnew is 
P(c(x,yi),c(x,y2),c(x3,y3)) ^ Q{x,yi,y2,xz,V3). But now the variables x^ and 
y3 are no longer “independent”. This could have been avoided if C(c(x,yi)) and 
C{c{x,y2)) had been unfolded before introducing the new clause in C„ew Indeed 
suppose that C'(c(x', x")) ^ C(x'), C{x") is in the definition of C, then the next 
unfolding step yields 

P{c{x, yi),c{x, y2), c{xz,y^)) ^ A{x, yi,xs), B{y2, y3),C{x),C{yi), C{y2) 
where the two free variable are separated into two different components. This 
observation leads to the following restricted rule that unfolds atoms without in- 
troducing clauses in Cnew Together with a suitable strategy it preserves freeness 
of arguments. 

Restricted Unfolding. 

{P I Pnevt U {L <— TZ(j{Ai, . . . , ^fc}}, T’donej C„ew7 Cout) 

Pnew G C, T^done7 Cnew 7 Cout) 

Let A be an atom and 7^ be a logic program. A is said to be sufficiently 
instantiated if it is an instance of all clause heads of P that unify with it (if 
there is no such head, the condition is vacuously satisfied). A variable in an 
atom is said to be not sufficiently instantiated if the variable gets instantiated 
by the most general unifier of the atom with some clause head. 

A freeness preserving strategy for =^-derivations starting from a regular join 
definition consists in unfolding atoms of Breg by Restricted Unfolding and the 
key atom by general Unfolding. The atom for the unfolding operation is selected 
in the following way: choose an atom of Breg with a depth greater than 0; if there 
is none, choose one whose variables are not sufficiently instantiated; otherwise 
choose the key atom. 




Proving Properties of Term Rewrite Systems via Logic Programs 177 



Before giving the result, we make some observation concerning the unification 
problems occurring in the discussion. 

Let t be a term and a variable x G Var{t), we denote by MinDepth{x,t) 
the minimal depth at which x occurs in t and by ADepth(t) the maximal depth 
difference between two occurrences of the same variable in t. Note that for linear, 
variable disjoint terms s and t unifiable by /i = mgu(s,t) we have Depth(sii) < 
max{Depth{s), Depth{t)). 

Property 1. Let t be a term and s be a linear term such that Var(t) H Var(s) = 
0. Let /X = mgu(s,t). Then xp, is linear and Depth{xp) < Depth(s) for all 
X G Var{t), and Depth{xp) < ma,x{Depth{t), Depth{s) + A Depth (t)) for all 
X G Var{s). Moreover, ADepth{tp) = ADepth{t) and the maximal number of 
occurrences of a variable in tp is the same as in t. 

Lemma 3. Any regular join definition ean he transform into a flat one using 
restrieted unfolding. 

Theorem 4. Any ^-derivation using a freeness preserving strategy starting 
with a cs-program and a flat regular join definition is terminating. 

Proof. Let r be the maximal depth of an atom occurring in the whole pro- 
gram and in the first definition. According to the freeness preserving strat- 
egy, the key atom K will be unfolded only if all the variables it shares with 
Breg are sufficiently instantiated. Since all predicates of Breg are non-copying 
monadic, they define each a regular tree language. Let us call intersection prob- 
lem Uo<i<n *^*[-^ 1 ( 2 ^ 1 )) ■ ■ ■ j Pni^Tii)] where Ci is a context which depth is inferior 
to 2 X T and Pf and predicate symbols and a;] are pairwise different variables. The 
solution of such a problem is {t|Vz G 0, n, t = C^[t \, . . . , Pn],V ^ 
since V is finite there is only a finite number of intersection problems. For a uni- 
fication problem UP MinSol = Min{{Depth{t)\t solution of UP}). Let us call 
h the maximum of all the MinSol. 

We prove that Depth{K) is less or equal to h. We first have to remark that 
all subterms of K which occurs at a depth greater than r, has been generated by 
one or more non-copying monadic predicates. A variable a; of AT is not sufficiently 
instantiated if either it occurs at an occurrence of K which is also an occurrence 
of one clause head it unifies with or it occurs at an occurrence greater than one 
duplicated variable of one clause head. The first case can be solved by unfolding 
this atom and its “descendants” to make this branch growing. The depth of the 
result is less than 2 x r. For the second case let PBh,x = [Cfiti] = = x} 

where Depth{Ci) < 2 x t and each terms of the U have been generated by one 
non-copying monadic predicate. PBh,x is an intersection problem, therefore its 
minimal solution has a depth inferior or equal to h. This means that unfolding 
atoms involved in this problem leads to an instance of depth inferior to t -I- A (a; 
is a variable of H so it occurs at a depth inferior to r). 

Let H' ^ B' the clause used for unfolding the key atom and p = mgu(AT, H'). 
Since all variables shared by the key atom are sufficiently instantiated xp = x 
for x G Var(Breg) so BregP = B}^g and is of depth 0. The variables of H' are 
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instantiated by terms of depth less than h, which means that B'jj, is of depth 
less than h. Since K is linear xfj, is linear for x G Var(H') and so B'fi is linear. 
Finally since since atoms of Breg are unary and of depth 0 they share variables 
with at most one argument of atoms of B'fx. The new maximal decomposition 
of BregB' jJL in variable disjoint components contains at most one atom of B' jjL so 
they are all body of regular join definition compatible with V . 

Since the depth of the key atom is bounded and linear, number of body of 
regular join definition compatible with V is bounded so the algorithm terminates. 

Theorem 5. Let P{x,x) ^ P'{t,x),Breg be a regular join definition, such that 
X occurs at a free argument of P' and x ^ Var{Breg)- The argument where x 
occurs in P is a free argument of P in the resulting cs-program. 

Proof. Since x occurs once in the body it will be instantiated only when unfolding 
the key atom and in this case each variable of the instance will occur in a different 
key atom at free argument. So all clauses introduced in C„ew are of the form 
P{t, t) ^ Pi{xi,x \), . . . , Pn{x*n, Xn) where x\, . . . ,Xn are variables of t and t do 
not share variables with t. So t and the XiS occur at a free argument. 

4 Encoding Basic Rewriting by Logic Programs 

In this section we present the way we encode rewriting relation by a logic pro- 
gram. This translation intends to obtain logic programs for which it is possible 
to deduce recognizability preservation, namely cs-programs for which one argu- 
ment is free. The translation presented here works for any TRS but does not 
lead to a cs-program in general. 

One of the main differences between term rewriting and logic programming 
formalisms is the clear distinction in logic programming between the predicate 
symbols and the function symbols i.e. between the data and the operations 
applied on them. This distinction is usually not made in term rewriting system. 
For example, considering the TRS f{x) g{x, x),a ^ b,a ^ c, g{b, c) ^ c and 
the term /(a), we have the following derivation /(a) ^ g{ci,a) g{a,b) c. 
In the first rewriting step a is considered as a “data” of / and in the second and 
third steps a is an “operation” . In pure logic programming such a symbol which 
is sometimes a predicate symbol and sometimes a function symbol does not 
exist. Since our aim is to prove TRS properties using cs-programs, we intend to 
encode the TRS derivations by a logic program which is as close as possible to the 
original TRS. This is why we define a transformation procedure which tends to 
preserve the structure of the terms. The price to pay is to encode only a restricted 
form of rewriting relation which fits well to logic programming formalism, namely 
basic rewriting. Roughly speaking, in basic rewriting it is forbidden to rewrite a 
subterm which has been considered as data in a former step. Fortunately basic 
rewriting and rewriting relations coincides for large classes of TRS. 

4.1 Basic Rewriting 

A rewriting derivation tg — is said to be P-basic if the set of 
basic position of tg (denoted BasPos{tg)) is P and for each step ti ^[ui,ii^n,ai] 
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ti+i, Ui belongs to the set BasPos{ti) and the set of basic positions of ti+i is 
(BasPos{ti) \ { u G Pos{ti) | Ui < f }) U { m.w \ w G SPos{ri) }. Each step of a 
basic derivation is denoted -^bas and we write t ^bas s ii t rewrites into s with 
a P-basic derivation. denotes the relation t'}. For a set 

of terms E, Rl^g{E) = {t \ 3f G E,t' t }. Most of the time P is abusively 
ommited in the following. 

Basic rewriting and rewriting coincides for large classes of TRS, in particular 
for right-linear TRS. 

* R * 

Lemma 4. Let R be right-linear TRS. Then and ^bas are the same rela- 
tion. 

i? * i? * 

Note that for the TRS given in introduction of this section, ^ and ^bas are 
different since /(a) cannot be rewritten in c with a basic derivation. 

The following definitions will be needed further down. They allow to point 
out positions in a term that may be rewritten. Let i? be a TRS and t a term. A 
position M of t is called a possible redex position if t|„ is of the form C[ti , . . . , 
where C is neither trivial nor a variable, does not contain any possible redex 
position and C unifies with at least one Ihs of R and Ui, the position of ti, for 
1 < i < n is a redex position. C is called the possible redex at occurrence u of t. 
The set of all possible redex positions of t is denoted PRedPosn{t) and the set 
of all possible redexes of t is denoted PRedn{t) (i? may be ommited if clear from 
context). PRedVar n{t) = Var{t) n {{jcePRedait) ^ar{C)) is the set of variables 
of t occurring in one of its possible redexes. For a variable x of PRedVar nit) 
PRedDepthfi{x) is the maximal depth of a; in a possible redex of t. The context 
C that does not contain any possible redex and that is such that t = C[t \, . . . , 
where for 1 < z < n is a redex position, is called the irreducible part of t and 
is denoted Irrn{t). If u < v are two possible redex postions of t then v is said to 
be nested. 

Example 1. For the TRS R = {/(s(a;)) ^ c{f{p{x)),f{f{x)))} and the term t = 
c{f{p{x)),f{f{x))) we have PRedPosn{t) = {2,2.1}, PRedR{t) = {/(□), /(x)|, 
RpRit) = c{f{p{x)),Oi), PRedVar{t) = {a;}, and PRedDepth(x) = 1. t contains 
a nested redex. 

Notice that for any term t, Pos (t)-basic derivations and PRedPos{t)-hasic 
derivations are the same since positions of t which are not in PRedPos{t) cannot 
be rewritten. 

4.2 Translating TRS to Logic Programs 

Table 1 specifies the rules for transforming terms and rewrite rules to clause logic. 
For a TRS R, let CV{R) denote the logic program consisting of the clauses ob- 
tained by applying the fourth rule to all rewrite rules in R. For sake of simplicity, 
we will denote by the fresh variable introduced in the third rule for the sub- 
term /(si, . . . , s„) at occurrence zt of a rhs s and A„ the atom produced by this 
rule. 
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Table 1. Converting rewrite rules to clause logic 
T 



V {v, 0) 

Si (tl, Q\) . . . Sn (tn, Gn) 



, S„) ■ ■ , in), Ui Si) 

Si {tl : Gl) • • • Sn (in, Gn) 

/(si, . . . , s„) ^ {x, IJ . Gi • • , in, a;)}) 

s (i, G) 

/(si, . . . ,S„) ^ S Pfisi, . . . ,Sn,t) ^ G 



if u € Var 



if e ^ PRedPosR(f{si , . . . , s„)) 



if e e PRedPosR{f{si, , s„)) 
if /(si , . . . , s„) ^ s G TZ 



Example 2. The following rewrite rules and clauses specify multiplication and 
addition. 

*(0,a;)^0 P*(0, x, 0) ^ 

*{s{x),y) +{y,*{x,y)) P^{s{x),y,Xe) ^ P+{y,X2,Xe), P*{x,y,X2) 

+ (0,a;)^a; P+(0, a;, a;) <— 

+ (s(x),y) ^ s(+(a;,y)) P+{s{x),y, s{xi)) ^ P+{x,y,xi) 

Let Vid = { Pf{xi, . . . ,Xn, f{xi, . . . , Xn)) ^ \ f & Pid allows to stop 
any derivation any time. 

Theorem 6. Let R be a TRS, s a term such that s {s',G). s t iff 

CV{R) U Vid \= Gp and t = s' pL. 

Unfortunately - but this is not a surprise - the transformation of any term 
rewriting system does not usually lead to a cs-program. This is mainly due to 
the non linearity of the bodies of resulting clauses as well as their non flatness. 
Non-linearity has itself two causes. The first one is the non-linearity of the rhs of 
the rewriting rule, the second is due to nested redexes. Therefore term rewriting 
systems for which basic derivations can be expressed by a cs, should have linear 
rhs with no nested possible redexes. In Section 5, we present two classes of 
TRS where non-flatness have been weaken thanks to quasi-cs-programs and ib- 
programs. 

5 Term Rewrite Systems Preserving Recognizability 

In this section, we give two classes of TRS for which the encoding presented 
section 4 leads to a cs-program which has the additionnal property that the 
last argument of each predicate is free (i.e. it is a regular language). This argu- 
ment encodes the resulting term of the rewrite derivation, this allows to deduce 
recognizability preservation for certain kind of input languages. 
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Definition 6. A quasi-cs-TRS is a TRS with the following properties: 

— it is right linear 

— no rhs contains nested possible redexes 

— For I ^ r G R, X G PRedVar{r) implies that either x ^ Var{l) or 
PRedDepth{x) is less or equal to the minimal depth at which x occurs in 1. 

Definition 7. An ib-TRS is a TRS with the following properties: 

— it is right linear 

— each rhs does not contain nested possible redexes 

— if C is a possible redex of a right-hand- side and I a left-hand- side then I is 
an instance of C 

Theorem 7. For both ib-TRS and quasi-cs TRS, can be represented by a 
cs-program. 

Proof. Since both ib-TRS and quasi-cs-TRS are right linear, and 
equal for this two classes. Nowt is sufficient to prove that the logic program 
obtained from these classes of TRS are ib- or quasi-cs-programs. Since ib- and 
quasi-cs-TRS are right linear and do not contain nested possible redexes in the 
rhs, the logic program obtained contains only clauses with linear bodies. More- 
over, for quasi-cs-TRS, the depth of the variable in the possible redexes of the 
rhs is less or equal to its minimal depth in the Ihs, the depth of the variable 
in the bodies is less or equal to the minimal depth of this variable in the head. 
For ib-TRS, the fact that possible redexes of the rhs subsume Ihs, ensures the 
ib property of the resulting logic program. 

Lemma 5. The resulting program of a quasi-cs-TRS or an ib-TRS is such that 
the last component of each predicate is free. 

In fact, this lemma is not true for the rules as given in Table 1. A rule 
like -|-(a;,0) — > a; is transformed to the clause P+{x,0,x) obviuosly, the 3'’'* 
position of is not free because x occurs twice in the head of the clause. This 
problem appears for each rewrite rule I r such that Irr n{r)\PRedVar n{r) yf 0. 
Notice that since I ^ r is right linear, x G PRedVar{r) occurs once in the last 
argument of the head and once in the body. So for all /(si, . . . , s„) ^ r such 
that the resulting clause is Pf{si, . . . , s„, s) ^ B, we define ar = {x Xr \ x G 
Var{s) \ B} and Br = { Pid{x, Xr) \ x G Dom{ar) } and we transform the clause 
Pf{s\, . . . , s„, s) <— ,8 to Pf{si, . . . ,Sn, sa') ^ BrU B. This new clause is still a 
quasi or ib-clause and the last argument is linear and does not share variables 
with other arguments. If Pjd is defined by the set of clauses (which are both 
ib- and quasi-cs-clause) Pid{f{x),f{x')) ^ Pid{x,x') then the semantics of Pf 
remains unchanged with regard to the Herbrand Models. 

For example, considering the rewriting rule -I- (a;, 0) ^ x, we have a^. = {x ^ 
Xr}, Br = {Pid(x,Xr)}, and the transformed clause is P(x,0,Xr) <— Pid{x,Xr). 

Now we show how to use these results to compute Rlas(^) which is 

either a quasi-cs or an ib TRS and E a regular tree language. In [10] it has been 
shown that R*{E) is not regular for the TRS R = {f{g{x)) g{f{x))} which is 
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both ib and quasi-cs, and the regular tree language E = (fg) * 0. R*{E) is the 
set of terms which contains as much / as g, in particular R^{E) = which 

is not a regular language. One can remark that terms of E contains unbounded 
number of possible redexes. So E is to be restricted to a regular tree language 
with a bounded number of possible redexes. 

Definition 8. A regular tree languages E is possible-redex-bounded if there 
exists an integer k such that every term t in E contains at most k possible 
redexes. 

Theorem 8. Let E he a possible redex bounded regular tree language and R he 
a right-linear TRS which is either instance-based or quasi-cs. Then Rlas(^) 
a regular tree language. 

Proof. A possible redex bounded regular tree language can be described by a 
logic program with two kinds of clauses: 

P{f{x \, . . . , Xn)) ^ Pi{xi ), . . . , Pn{xn) for positions that are not rewritten and 
P{y) ^ Pf{x \, . . . , Xn, y), Pi{xi ), . . . , Pn{xn) for possible redex positions (notice 
that this clause is almost a regular join definition) in this case body of clauses 
defining P do not contain P and no other clauses is headed by P. 

The set of non-regular definitions L* can be stratified in the following way: 
Lq = {P{y) ^ Pf(xi,. . . ,Xn,y), Pi(xi), . . .,Pn(xn) s.t. the definition of the Pi 
does not contain any join definition }. 

Li = {P{y) ^ Pf{xi, . . . ,x„,y), Pi{xi), . . . , P„{xn) ^ s.t. the defini- 

tion of the Pi contains no non regular definitions but those of Uj<i Pj}- 

Then for a right-linear irreducible-based TRS R which is either ib or quasi-cs 
and tree language defined as above by a logic program Lnput, we first compute 
LV{R) and then transform it into the cs-program cs{LV{R)), then we apply the 
following algorithm: 

Vo = {Input \ L») , Done = 0 , k = 1 
while Done yf L* 

Let i = Min{{ j \ Lj \ Done yf 0 }) 

Let C G Li \ Done 

Let V' be the cs-program computed from C and Pk-i^J cs{CV{R)) 

Pk = Reg{V) 
k = k-\-l 

end while 

By the definition of Input, Vq is a linear monadic program. So the first 
iteration of the algorithm is a regular join definition transformation. If for a 
step k C is a, regular join definition compatible with P^ U cs{CV{R)), we have 
from freeness property the lonely argument of each predicate of Li will be free, 
therefore Reg{V') produces only linear monadic clauses, so Vk+i linear monadic. 

As a consequence V* which defines the language Rlas(P)’ describes a regular 
tree language. 

This result can be used for example to compute the set of descendants of 
ground constructor instances of a linear term, for a constructor based TRS. 
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Indeed, let the term f(s{g{x)) where constructor symbols are s and 0. Its ground 
constructor instances contains only two possible redexes. The program is 

P{x) ^ Pf{xi,x),Ps{xi) Ps{s{x)) ^ P'{x) P'{x) ^ Pg{xi,x),P^{xi) 

P*(0) ^ P:^{s{x)) ^ P*{x) 

But it is also possible to compute the set of descendants of the regular lan- 
guage s*{f{s*{g{x)))) where / and g may occur at any depth in the terms of 
the language. This weaken the restriction of [10] on the kind of regular language 
allowed for computing R* (E) , and can be useful for reachability problems issued 
from infinite state system verification for example. 

Our result on ib-TRS extends those of [10] because all constructor based TRS 
satisfying Rety restrictions are ib-TRS but the TRS containing the single rule 
f{s{x)) f{f{p{x))) does not satisfy the condition on nested function symbols. 

Quasi cs-TRS is neither included nor includes Rety’s TRS. Indeed the former 
TRS is an instance-based one. On the other hand {/(x) ^ g{s{x)), g{s{p{x))) 
g{x)} respects Rety’s restrictions but is not an ib-TRS. Another main class of 
TRS which has been studied is right-linear finite path overlapping TRS defined 
in [12]. This class allows nested possible redexes which is forbidden for cs-TRS. 
On the other hand rewriting rules like /(s(x)) ^ f{x) are not allowed in [12], 
but as the name of the class indicates, right-linearity is required, therefore basic 
rewriting relation is equivalent to rewrite relation, so it should be possible to 
handle this kind of TRS in our framework. More recently [11] defines the class of 
layered transducing TRS (LT-TRS for short) which are preserving recognizabil- 
ity under some conditions. A LT-TRS is a linear TRS working over a signature 
where some unary function symboles are distinguished as markers. The rule of 
LT-TRS are of one of the following two forms: f{qi{x \), . . . , qn(xn)) q(t) or 
q(x) q'(t) where q,q',qi, . . . , q„ are markers and t, t' do not contain any mark- 
ers. The class of LT-TRS is a strict subclass of ib-cs TRSs since t and t' do not 
contain any possible redexes. The authors of this article define two conditions on 
LT-TRS to obtain the recognizability preservation. The first one corresponds to 
the conditions of theorem 8 on the input language. The second condition defin- 
ing the 10 separated LT-TRS, is on the marker symbols and allows to get the 
preservation for any input languages which is not the case for ib-cs TRSs. 



6 Conclusion and Future Work 

The translation of basic rewriting to logic programming presented in this paper 
provides a simple way to obtain finite presentations for derivations that allow to 
study properties of term rewrite systems. Its generality allows to extend already 
known results as well as to get new ones. Other classes of logic programs also 
transform to finite cs-programs. Pseudo-regular programs, for example, extend 
regular relations of [2] by weakening restriction on copying clauses. This should 
lead to further classes of term rewrite systems preserving recognizability. Pseudo- 
regular tuple languages are closed under intersection, therefore we expect that 
the corresponding class of term rewrite systems is less restrictive on the right- 
hand-sides. Our final aim is to give a complete characterization of term rewrite 
systems preserving regularity that correspond to finite cs-programs. 
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A nice side effect of translating everything to logic programs is that we ob- 
tain without much effort prototype implementations in Prolog which allow to 
experiment with the results^. 
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Abstract. We show that, unlike the case in finitary term rewriting, 
confluence is not a modular property of inflnitary term rewriting systems, 
even when these are non-collapsing. We also give a positive result: two 
sufhcient conditions for the modularity of confluence in the inflnitary 
setting. 



1 Introduction 

Modularity is the study of properties of rewriting systems that are, or are not, 
preserved when combining different systems. In finitary term rewriting, a number 
of properties, e.g., confluence [9, 14], are known to be modular whereas others, 
e.g. termination [13], are known not to be; see Ch. 8 of [11] for an overview. 
Modularity has, however, been left completely uninvestigated in the setting of 
inflnitary term rewriting, a formalism developed in a series of landmark papers 
[3, 4, 6, 7]. In this paper, we take the first steps to investigate modularity in the 
setting of strongly convergent inflnitary rewriting. 

1.1 Contributions 

We show that: 

— Confluence is not a modular property of inflnitary term rewriting systems, 
even for non-collapsing systems. 

— Confluence is preserved under disjoint union of a set of left-linear iTRSs iff 
the set has the property of being essentially non-collapsing, i.e. at most one 
system contains collapsing rules. 

— Confluence is preserved under disjoint union of a set of arbitrary (i.e. not 
necessarily left-linear), non-collapsing iTRSs if only terms of finite rank are 
considered. 

1.2 Organization of the Paper 

Section 2 introduces basic concepts from inflnitary rewriting and defines what 
it means for a property to be modular in this setting. Section 3 contains the 
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counterexample to modularity of confluence. Sections 4 and 5 presents the two 
sufficient conditions for confluence to be modular, whereas Section 6 briefly dis- 
cusses the difficulties in extending the results to the setting of weakly convergent 
rewriting. 

2 Preliminaries 

We assume familiarity with finitary term rewriting (ample introductions are [2, 
8, 1] and Chapter 2 of [12]) and basic ordinal theory (see e.g. [10]). The successor 
of an ordinal a is denoted by a -I- 1, and the least infinite ordinal by w. If a is 
a limit ordinal, we indicate this by writing Lim{a). We assume a countable set 
of variables and a “Hilbert-hotel” style renaming for all terms considered so 
that fresh variables are always available. Positions in (finite) terms are elements 
of {1,2, . . .}* defined in the usual way. The subterm of term s at position p is 
denoted s|p. The root symbol of a term is the symbol at position e. If f is a unary 
function symbol and k G oj, we denote by f*^(s) k successive applications of f 
to the term s; we extend the notation to include f“ with the obvious meaning. 
Let □ ^ U T. A term with holes is a term over S with variable set X U {□}. 
A term with a hole at position p will be written as s[]p, a term where the holes 
are at positions i G I where / is some (possibly infinite) set is written as s[]jgx 
and is called a (many-hole) context. Observe that a context may have no holes. 
Substituting terms from an I-indexed sequence of terms (si)jgx into a many- 
hole context is defined in the obvious way. In the following, we recall a number 
of concepts from infinitary rewriting; our definitions are as in [5], with a few 
differences in nomenclature. 

Definition 1. Let Ter{S) he the set of finite terms over the (not necessarily 
finite) signature S with alphabet X. Define the metric d : Ter(E) x Ter{S) — > 
[0; 1] by d{t,t') = 0 ift = t' and d{t,' t) = 2~^ otherwise, where k is the length of 
the shortest position at which t and t' differ. The completion of the metric space 
(Ter{S),d), denoted Ter°°{S) is called the set of finite and infinite terms (or 
simply termsj over E. The depth of a position, u, in a term is the length, |u|, 
ofu. 

Definition 2. An infinitary rewrite rule is a pair 1 — > r where 1 G Ter{E) 
and r G Ter°°{E) such that 1 is not a variable and every variable in r occurs 
in 1. An infinitary term rewriting system, denoted iTRS, is a pair TZ = {S, R), 
consisting of a signature E and a set of infinitary rewrite rules R. 

Definition 3. A term s is linear if every variable of X occurs at most once in 
s. A rule 1 — > r is left-linear if I is linear. 1 — > r is collapsing z/r G X. 

Definition 4. Let a he any ordinal. A derivation of length a is a sequence of 
rewrite steps {sp — > sp+i)p^a- In the step sp — > sp+i, assume that the redex 
contracted is at position up of sp; the depth, denoted dp, of the redex is the depth 
of up. The derivation is called weakly convergent (aka. Cauchy convergent J if. 
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for every limit ordinal X < a, the distance d{s/ 3 ,s\) tends to 0 as P approaches 
A from below. It is called strongly convergent if it is Cauchy convergent and, in 
addition, dp tends to infinity as P approaches A from below. If {sp — > sp+i)p^a 
is convergent with limit t and sq = s, we write s — t, and say that t is a 
derivative of s. When the length of the derivation is bounded above by 7 , we 
shall occasionally write s — t. When the length of a strongly convergent 
derivation is unimportant, we write s >->- t. 

Observe that concatenating any finite number of strongly convergent deriva- 
tions yields a strongly convergent derivation. The following lemma concerning 
strongly convergent rewriting is due to Kennaway et al. [5, 6 ]: 

Lemma 1 (Compression). In every left-linear iTRS, if s >->- t, then 

s — t. 

Definition 5. A peak of an iTRS R is a triple t s t' of terms such 

that s ►► t and s t' . A valley of an iTRS R is a triple t ►► s' t' 

of terms such that t ►► s' and t' >->- s' . If there exists a valley 

t ►► s' t' , then t and t' are said to be joinable, written t ~ t' , and 

s' is said to be their join. A term s of R is said to be confluent (aka. trans- 
finitely Church-Rosser ) if every peak t s >->- t' has a corresponding val- 
ley t >->- s' t' . The iTRS R is said to be confluent if all of its terms are 

confluent. 

The next auxiliary lemma, the Dovetailing Lemma, will prove to be useful in 
Sections 4 and 5. 

Lemma 2 (Dovetailing), //{sijigx is a set of parallel subterms of some term 

s = C[si]i^x such that there are terms ti with Si >->- ti for all i G T, then 

s C[ti]i^x. 

Proof. Since function symbols have finite arity, there are finitely many of Sj 
with root symbol at any given depth k. Since concatenation of a finite number 
of strongly convergent derivations yields a strongly convergent derivation, there 
exists, for every k G u, & strongly convergent derivation Sk turning all Si with 
root symbol at depth k into the respective fl. Clearly, the derivation S'o-S'i •S '2 • • • 
is strongly convergent with limit C[ti] iei- C 

Definition 6. The direct sum of a set TZ = {Rk}k^K of iTRSs over signatures 
{Sk}keK, denoted by (BlZ, is the iTRSyj^^j^^Rk over signature where 

1+J is disjoint union of sets. If {Rk}keK = we write Rq® R\. A term 

over is called monochrome if all of its function symbols are elements 

of a single Sk . 

When the involved signatures are disjoint, we refer to the iTRSs of IZ as being 
disjoint. Observe that, unlike the finitary case, we allow sums of any (finite or 
infinite) number of iTRSs. As we shall see, this has no impact on the modularity 
of confluence. 
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Definition 7. The rank of a term s over {Sk}ke!C, denoted by rank(s), is the 
maximal number of signature changes in maximal paths starting from the root, 
if such a number exists, and oo otherwise. If rank(s) ^ oo, we say that s is of 
finite rank. 

Note that rank(s) = oo does not imply the existence of a maximal path encoun- 
tering infinitely many signature changes. All maximal paths could encounter 
only finitely many signature changes, but an upper bound on the number of 
such changes may not exist. 

Definition 8. A predicate P on the class ofiTRSs is said to be modular if, given 
an arbitrary set {Rk}keK> the direct sum (BP has property P iff all elements of 
{Rk}kGJC have property P. 

In (finitary) TRSs, the number of elements of {Sk}keK contributing function 
symbols to any term s is finite. Hence, it is sufficient to consider finite sets 1C in 
this setting, showing that our definition reduces to the usual one in the finitary 
case. 

Definition 9. Let the root symbol of the term s over 1+J^,g;c ^k belong to the 
signature Sr- The cap of s, denoted cap(s), is the maximal monochrome, linear 
term C[xi]i^j: containing the root symbol of s such that there is a sequence (si)igi 
of terms with root symbols in 1+Jfcg;c\{r} Tdk and s = C[si]i^x, in which case we 
write C'[[si]jg 2 : fan clarity. The Si are called the principal subterms of s. 

Observe that a term s may have an infinite number of principal subterms. 

Definition 10. The set of blocks of a term s, denoted Bl{s) over 
defined by the following coinduction: 

1. cap(s) G Bl{s). 

2. If s = C'[[si]jg 2 :> then, for all i GT, Bl^sf) C Bl{s). 

A block, b, is collapsing if b >->- x for some x € X, and we say that b 

collapses to x. If the underlying iTRS is confluent, each collapsing block b can 
collapse to at most one x and we call that x the collapsing variable of that block. 

Definition 11. A rewrite step s — > t is outer if the redex contracted is in the 
cap of s, otherwise it is inner. An outer step is indicated by — >, an inner step 




In the remainder of the paper, we make essential use of the descendant rela- 
tion well-known from strongly convergent rewriting [5, Def. 12.5.1], that tracks 
positions across derivations. Observe that since we do not in general track resid- 
uals (i.e. what “happens” to redexes), we do not require the iTRS involved to 
be left-linear (certain residuals will be tracked in Section 4 where all systems 
are assumed to be left-linear). 
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Definition 12 (The Descendant Relation). Let R he an iTRS, let s be a 

term of R, and let s >->- t. The set of descendants of any position u S Pos(s) 

across s >->- t, denoted u/{s >->- t), is defined by induction on the length a 

of s ►► t: 

— a = 0. Then, u/{s t) = {u}. 

— a = (3+1. Let q be any position of Sf} and assume that the redex r contracted 
in sp — > sp+i is of the rule 1 — > r and situated at position u. Lf q + u, then 
d/i^/3 — ■5/3+i) = { 9 }- Ifu ^ 9 ; then there is exactly one variable occurrence 
X in \ at position Px such that u-px-p' = q for some position p' . Let {p^}k&ic 

he the set of positions of occurrences of x in r. Then, q/{s >-•- S/ 3 + 1 ) = {u- 

Px-P'} then define u/{s — > S/ 3 + 1 ) to be > S/ 3 +i))- 

— Lim{a). Here, a position q of Sa is a descendant of a position u of s iff q is 
a descendant of u in sp for all sufficiently large (3 < a. 

We shall speak of descendants of variable occurrences and principal subterms, 
meaning “the position of a variable occurrence” and “position of the root symbol 
of a principal subterm”. Note that the definition of descendant entails that if 

and some tj is a descendant of Si, then Si ►► tj. 

Strong convergence is crucial in this respect (cf. Section 6). 

3 A General Counterexample 
to Modularity of Confluence 

We now turn to the modularity of confluence. As in the case of orthogonal 
systems, there is a trivial counterexample based on the presence of two collapsing 
rules: If i?o = x} and i?i = {g(x) — > x}, then both Rq and Ri are 

confluent, but in Rq(BRi there is a peak f“^ f(g(f(g(- • • )))) g“, and 

f“^ and g“ are obviously not joinable. We will therefore restrict our attention to 
non-collapsing systems. 

In infinitary rewriting, we may need “balancing” rules to make non-left- 
linear rules applicable if we desire confluence. To appreciate this, consider S = 
{f(x,a;) — > a} which is (finitarily) confluent by Newman’s Lemma; but when 
considering S as an iTRS, we lose (infinitary) confluence: 

Example 1. Consider S. From the term h = i{h,h) we get the following two 
derivatives fc = f(a, k) and p = f(p, a), both of which are normal forms of S, i.e. 
S cannot be confluent. □ 

Suitably extending S yields a confluent iTRS; consider the following right- 
ground system: 






( f(x, x) — > a 
f(a, x) — > a 
f(x,a) — > a 
f{{{x,y),z) - 
( {{x,{{y,z)) - 



a 

a 
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We have the following: 

Proposition 1. R is confluent. 

Proof. We claim that if f(s,s') is a term and if f(s,s') ►► t is a strongly 

convergent derivation of length at least 1, then t — > a (observe that t ^ X). We 
reason as follows: If t = a, we are done. Otherwise, write t = F(w,w') and split 
on cases according to w and w': 

1. w = a or w' = a. Here, t — > a by an application of either the rule f(a, x) — > 
a or f(x,a) — > a. 

2. w = f(r, r') or w' = f(r, r'). In this case, t — > a by an application of either 
the rule f(f(x, y), z) — > a or the rule f(x, f(j/, z)) — > a. 

3. w = X and w' = y for x,y G X. Since there are no collapsing rules, this 

is only possible if s = a; and s' = y. If x y, F{x,y) is a normal form, 

which contradicts the assumption that f(s, s') t has length at least 1. 

Thus, we must have x = y, i.e. w = w' and the rule f(x,a:) — > a yields 
f(w, w') — > a. □ 

Make a “copy”, R', of R, renaming f to g and a to b, and copying the rules 
mutatis mutandis. The resulting system is clearly confluent, but R® R' is not 
confluent: 

Proposition 2. The term s = f(g(s, s), g(s, s)) is not confluent (in R® R'). 

Proof. It is clear that s — > a and that g(s, s) — > b. There is a strongly con- 
vergent derivation of the “right” subterm g(s,s) with limit s" = g(a, f(b, s")). 
Since the “left” subterm g(s, s) rewrites in one step to b, s can in to steps be 
rewritten to s' = f(b, g(a, s')), which is a normal form. Thus, there is a peak 
a s ►► s' for which no corresponding valley exists. □ 

Corollary 1. R® R' is not confluent. 

Corollary 2. Confluence is not a modular property of iTRSs. 

The counterexample to confluence crucially employs two facts: 

1. One of the considered systems has a rule that is not left-linear. 

2. The specific term considered does not have finite rank. 

The further main results of this paper are that if restrictions are imposed on 
one of the two facts above, modularity of confluence may be recovered. 

4 Modularity of Confluence for Left-Linear Systems 

In this section we consider combinations of confluent, left-linear, pairwise dis- 
joint systems, and subsequently derive necessary and sufficient conditions for 
modularity of confluence. We begin by proving our results for non-collapsing 
iTRSs and later extend them to sets of iTRSs TZ such that 07^ is essentially 
non-collapsing . 
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Definition 13. The term s is said to be insulated if it contains no collapsing 
blocks. 

Proposition 3. If R is a left-linear iTRS, s is insulated and s >->- t, then t 

is insulated. 

Proof. By left-linearity and insulation of s. □ 

Thus, for left-linear terms, insulation of s corresponds to the notion of preser- 
vation well known from the study of modularity in finitary rewriting [9] . 

Proposition 4 (Outer and Inner Derivations Commute). LetTZ be a set 
of left-linear, pairwise disjoint iTRSs and let s be an insulated term with a peak 
t — s — t' . Then, there exists a term s' and a valley t' — s' — t. 

Proof. Straightforward induction on the length of the longest of the two deriva- 
tions in the peak (in case of equal length, pick any of them) . □ 

Proposition 5 (Postponement of Inner Derivation). Let TZ be a set of 

left-linear, pairwise disjoint iTRSs and let s be an insulated term with s ►► t 

(in (BTZ). Then, there is a term t' such that s — t' — t. 

Proof. By left-linearity and insulation, inner rewrite steps can neither destroy 
nor create outer redexes, and there is thus a term t' and a strongly convergent 

outer derivation s ►► t' such that cap(t') = cap(t), and such that the set of 

descendants of any position of a variable occurrence in cap(s) is identical under 

s ►► t and s ►► t' . Every principal subterm tj of t is a descendant of some 

subterm Si of s, and by disjointness of the iTRSs and strong convergence, we have 

Si tj. By strong convergence of s >->- t and the definition of descendant, 

tj is eventually “fixed” at a single position pj. The principal subterm of t' at 

Pj is a descendant of Si, and since there were no inner steps in s ►► t' must 

be identical to Si . Hence, Si tj . Since tj was arbitrary, the same argument 

holds for all principal subterms of t, and an application of the Dovetailing Lemma 
concludes the proof. □ 

Proposition 6. Let TZ be a set of left-linear, pairwise disjoint, confluent iTRSs, 
and let s be an insulated term. Then the following diagram commutes for any 
peak t s ►► t' : 



s to ^ 




where all rewrite steps in the peak t\ — si — t( take place at depth > 1. 
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Proof. Use Proposition 5 twice to erect the leftmost and uppermost sides of the 
diagram. Since the systems were assumed to be confluent and left-linear, outer 
derivation is confluent, whence we get commutativity of the upper-left square. 
Two applications of Proposition 4 furnish commutativity of the two remaining 

squares. All rewrite steps in the peak si t\ are inner, and so by 

insulation take place at depth >1. □ 

Lemma 3. Let TZ he a set of left-linear, confluent, pairwise disjoint iTRSs. 
Then every insulated term is confluent (in (BTZ). 

Proof. Let t s t' be a peak of 07^ with s insulated. By Propo- 

sition 6, we can erect a diagram as in that proposition. Consider the peak 

ti Si ►► t( and observe that cap(si) = cap(ti) = cap(t^), since s was 

insulated. Write Si = Clsy-g^:- Then the inner derivations in ti si >->- t[ 

occur in the Si. Applying the proposition coinductively (viz. the below diagram) 
to the inner derivations in the Si - using the Dovetailing Lemma to order ar- 
range derivations in parallel subterms - yields strongly convergent derivations 
t >->- s' t' for some term s', as all redex contractions at the “fcth appli- 

cation” of Proposition 6 take place at depth > k. 




□ 



Corollary 3. Modularity is confluent for left-linear, non-collapsing, iTRSs. 



4.1 Essentially Non-collapsing Sets of iTRSs 

We now give a simple condition on sets of iTRSs that will turn out to be a 
necessary and sufficient condition for the modularity of confluence. 
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Definition 14. A set, TZ, of pairwise disjoint iTRSs is said to he essentially 
non-collapsing if at most one iTRS of TZ contains a collapsing rule. If there 
exists an R such that R is the unique iTRS among TZ that contains a collapsing 
rule, we call R the collapsing colour ofTZ. 

The definition is similar to the notion of almost-non- collapsing iTRS well- 
known from the study of orthogonal iTRSs [5]; observe however, that the term 
is used here as a property of a set of iTRSs, not the individual iTRSs. 

Proposition 7. Let R be a left-linear iTRS. If there is a strongly convergent 
derivation s — >“ x for some x G X, then s — x for some k G uj. 

Proof. By the Compression Lemma, we may assume that a < w. The fact that 
s — X is convergent now furnishes the desideratum. □ 

Lemma 4. If TZ is a set of left-linear, pairwise disjoint, confluent iTRSs such 
that ®TZ is confluent, then TZ is essentially non-collapsing. 

Proof. By contraposition. If TZ were not essentially non-collapsing, there would 
be at least two iTRSs, {Si,Ri) and (T’2, .R2), each containing a collapsing rule. 
We may write as Cflx] — > x, resp. C2[x] — > x where the first rule is from Ri, 
and the second from i?2- The term Ci [C2 [Ci [C2 [• • •]]]] has the two derivatives 
Cl [Cl [• • • ]] and C2 [C2 [•••]] which are terms over disjoint alphabets and are hence 
joinable only if both terms can be rewritten to a variable, y. By Proposition 
7, this can only happen if CflCfl- ■ y. Since this derivation is finite, 

there exists an n such that a stack, Cfl- ■ ■ [Ci[x]]] of n copies of Cflx] rewrites 
to y. But, clearly, Ci[- • • [Ci[a;]]] — x, whence confluence of the underlying 
iTRS yields x = y. By left-linearity, we may assume that there are no copies 
of x in Ci[Ci[- ■ ■]]. Thus, Ci[Ci[---]] and C2[C2[---]] have no common join, 
contradicting confluence of 07^. □ 

Thus, essential non-collapsingness is a necessary condition for modularity of 
confluence. To see that it is also sufficient, we proceed as follows: 

Definition 15. Let TZ he a set of left-linear, confluent, pairwise disjoint iTRSs. 
Let s be a term and write s = C[[si]]^g2: (observe that if s is monochrome, we 
have X =%). We define the term s as follows: 

C\si\i£i if C[xi]i^x is not collapsing 
Sm if Xm 

That is, s is the term obtained from s by collapsing all collapsing blocks 
in a top-down fashion; by essential non-collapsingness, only blocks of a single 
colour will be collapsed. Observe that by confluence of the elements of TZ, each 
block can collapse in at most one way, whence s is well-defined. Note also that 
s >->- s. 

Proposition 8. Let TZ be an essentially non-collapsing set of left-linear, pair- 
wise disjoint, confluent iTRSs. Then s is insulated, and the set of descendants 

of any u G Pos{s) is the same for any strongly convergent derivation s >->- s 

and satisfies \u/{s >->- s)| < 1. 
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Proof. By left-linearity, contraction of redexes in one block can only create re- 
dexes in another if the block collapses. Since the considered systems are left-linear 
and there is at most one collapsing colour, s must be insulated. By confluence of 
the systems, each collapsing block C[x\, . . . , Xm] has a unique collapsing variable 

Xi, and we hence have \u/{s >->- s)| < 1 for any such derivation. u/{s >->- s) 

is clearly independent of the choice of derivation. □ 

Definition 16. Let TZ be an essentially non-collapsing set of left-linear, conflu- 
ent, pairwise disjoint iTRSs, For any term s, we define Ps{u) as the predicate 

on Pos{s) that is true iff u has a descendant across s >->- s. Furthermore, we 

set Us = {u € Pos{s) : Ps{u)}. 

By the previous proposition, we see that Ps{u), and hence also Us, is well- 
defined. 

Proposition 9. Let TZ he an essentially non-collapsing set of left-linear, con- 
fluent, pairwise disjoint iTRSs, and s he a term. Then Us is partially ordered by 
-< and the graph of (Us,^) is a (possibly infinite) directed tree Ts. The number 
of children of Tg at any vertex u is the arity of the function symbol at position 
u in s. 

Proof. Us is partially ordered by ^ since Pos{s) is. The graph of (Pos{s),~<) 
is a directed tree, and clearly Ug is connected, hence also a directed tree. If a 

block collapses, at least one position below it has a descendant across s >->- s, 

whence a position u G Pos(s) has exactly as many children in (Ug, as it has 
in (Pos(s), ^). □ 

Proposition 10. Let TZ be an essentially non-collapsing set of left-linear, con- 
fluent, pairwise disjoint iTRSs, and let s ►► s' have length at most to (by the 

Compression Lemma, if need be). Let d be any non-negative integer. There is a 
non-negative integer d' such that, for all u G Us> with |t6| > d' , the depth, d" , 

of the single element in u/{s' >->- s') satisfies d" > d. Furthermore, there is 

a k G to such that for k' > k, if the redex, r, contracted in Sk' Sfc'+i is at 
position u, then the unique residual of r by sw Sfc' is at depth > d. 

Proof. By Proposition 9 and the pigeon hole principle, the number of vertices 
at each depth in Tg' is finite. Write u = pf ■ pi ■ pifl ■ pi' ' 'Pm where the pf" 
and pI are the positions of variables in non-collapsing and collapsing blocks of 
s', respectively, and where is possibly the empty position. Clearly, the depth 

of the single element in u/(s' >->- s') is cl{u) = \pf‘' - P 2 ‘'"'Pm\j and cl{u) 

is thus the depth of u in 7^/. Let {ui, . . . ,Um} be the set of vertices in Tg' at 
depth d, and set d' = max{|ui |, . . . , then Pgflu) and |m| > d' implies 

cl{u) > d. Strong convergence of s >->- s' and the fact that the length is at 

most oj yield existence of a, k G iv such that all redexes contracted in Sfc ►► s' 

are at depths > d' . Hence, for any k' > k, if Sk' Sk'+i, the unique residual 
of r by Sfc' >->- Sk' will be at depth > d in Sfc' . □ 

Proposition 11. Let TZ be an essentially non-collapsing set of left-linear, con- 
fluent, pairwise disjoint iTRSs, and let s t. Then s >->- t. 
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Proof. By the Compression Lemma, we may assume that s — t, and proceed 
by induction on the length, a, of the derivation: 



— a = 0. Trivial. 

— a = j + l. 

Consider Sj Si+i! if the redex r is at position u and u ^ we have 

ij = Sj+i, and we are done. If tt G Usj^ contracting r/{sj >-«- Sj) clearly 

yields Sj+i in one step. 

— a = w. By Proposition 10, for each depth d G uj, there is a, k G oj such that 

all steps in §k' — > Sfe'+i are below depth d for k' > k, showing that the 
resulting derivation is strongly convergent with limit t. □ 

Proposition 12. Let R be the collapsing colour of an essentially non-collapsing 
set TZ of left-linear, confluent iTRSs. If s >->- t, then s >->- t. 

Proof, s >->- s >->- t. □ 

We can now prove the first positive result of the paper: 

Theorem 1. Let TZ he a set of confluent, left-linear, pairwise disjoint iTRS. 
Then, ®TZ is confluent ijf TZ is essentially non-collapsing. 

Proof. If 07^ is confluent, it follows from Lemma 4 that TZ must be essentially 

non-collapsing. Conversely, if TZ is essentially non-collapsing, let t s >->- t' 

be a peak of 07^. By Proposition 11, there exists a peak i s >->- i' . 

Lemma 3 now yields existence of a term s' and strongly convergent sequences 
t — > s' and t' — > s'. An application of Proposition 12 concludes the proof. □ 

4.2 Mutually Orthogonal Systems 

Confluence of left-linear systems in finitary rewriting can be ensured by less 
strict demands than that of disjointness. In both first- and higher-order finitary 
rewriting, mutual orthogonality (and the more lax mutual weak orthogonality) 
is sufficient for confluent systems to be confluent under direct sum [15]. The 
techniques of [6,5] for proving confluence results in orthogonal (strongly con- 
vergent) transfinite rewriting use reasoning about residuals and the depths of 
redexes contracted in valleys as their linchpin; this does not generalize to arbi- 
trary confluent iTRSs, hence not to the setting of modularity, since we cannot 
necessarily track residuals in non-orthogonal systems. Unlike the case with dis- 
joint systems, contraction of a redex in one system can create redexes in others 
without being the application of a collapsing rule; as we cannot properly gauge 
the effect of such creations without tracking residuals, there appears to be no 
easy way of extending our results for left-linear systems to the setting of mutual 
orthogonality. 
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5 Confluence of Terms of Finite Rank 

In this section, we show that when only terms of finite rank are considered, 
confluence is modular for non-collapsing, not necessarily left-linear, systems. The 
methods employed are akin to Toyama’s original proof of (flnitary) confluence of 
TRSs [14] and the initial part of the later, more elegant proof [9]. The parts of 
these papers dealing with collapsing rules do not appear to be applicable when 
working with strongly convergent derivations. 

Proposition 13. If the confluent terms s and s' satisfy s ^ s' (i.e. s and t are 
joinable), then any derivative, t, of s is join able with any derivative, t' , of s' . 

Proof. Straightforward. □ 

Definition 17. For sequences of terms {sk)k£K and {tk)k^K, we write {sk)k&ic ot 
(tk)keK when it is the case that tk' = tk" if Sk' ~ Sk" for all k' , k" € 1C. 

Proposition 14. LetlZ be a set of non-collapsing, pairwise disjoint iTRSs, let 

S = and assume that s >->- t with t = C'^tj^j^j. Choose variables 

{xi)iex such that (s*)jgx cx (xj)jgx- Then C[xi]i^x C'[yj]j^j such that yj 

is a descendant of Xi across C[xi]i^x ^ W tj o descendant of Si 

across s >->- t for all i €T, j € d. 

Proof. By induction on the length, a, of s ►► t. 

— a = 0. Straightforward. 

— a = f3-n. Write sp = by the induction hypothesis we may assume 

that there exists a strongly convergent derivation 

C[xi]i^x D[zk]keK such that Zk is a descendant of Xi iff t'j. is a descen- 

dant of Si, for all fc G /C, t G X Consider the single rewrite step S /3 — > sp+i. 
Assume that the redex contracted is of the rule 1 — > r in s /3 and at position 
u. If the redex is not outer, or the rule is left-linear, the desideratum follows 
immediately. Assume, then that the redex is outer and that the rule is not 
left-linear. Since the induction hypothesis furnishes that Zk is a descendant of 
Xi iff t'j. is a descendant of Si, for all A: G /C, t G X, whence (f'jJkeK oc {zk)keK, 
and the rule 1 — > r is applicable at position u in D[zk]keK- The demand on 
the descendants is clearly fulfilled. 

— Lim{a). Observe that the rewrite steps of C[xi]i^x C'\yj]j^j corre- 
spond exactly to the outer steps of s >->- t. If C[xi]i^x ^ 

were not strongly convergent, neither would s ►► t be. It is clear by the 

definition of the descendant relation that the demand on the descendants is 
fulfilled. □ 

Proposition 15. Let R be a non-collapsing iTRS, let s = such that 

the Si are all confluent, and choose variables (xi)igx such that {sfli^x oc (xi)igx- 

If C[x^]i^x ►► C'[zk]keK, then C\si}.^j- ►► C\tklk(^K ® 

descendant of Si across iff Zk is a descendant of Xi 

across C[xi]i(zx C'[zk]kaK- 
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Proof. By induction on the length, a, of C[xi]i^i >->- C'[zk]k£K- 

— a = 0. Straightforward 

— a = (3 + 1. Write = D[ri]uzc. We have C[x^\^(zI — D[zi]uzc. By the 

induction hypothesis, we have C[si]i^j: ►► D[ri]i^c for suitable {ri)i^c 

such that the demand on the descendant relation is satisfied. Assume that 
the redex contracted is of the rule 1 — > r in and at position urn. D[z{\i^c- 
If the rule is left-linear, the desideratum follows immediately. If the rule is 
not left-linear, applicability of the rule in D[zi]i^c^ (si)iei (cci)igx and the 
descendants part of the induction hypothesis furnishes that if Zj = zji, rj 
and rji are joinable. Since 1 is a finite term, only a finite number of principal 
subterms need to be reduced to a common term in order for the rule to 
be applicable in D[ri]i^c- Thus, by Proposition 13, there exists a strongly 
convergent derivation D[ri]i^c ~ — D[r[]i^c (with all steps performed at 
depth > |u|) such that 1 — > r is applicable at position u in D[r[]i^c and the 
demand on the descendant relation is satisfied. 

— Lim{a). There are two kinds of rewrite steps performed in 

C[[siligx “outer” steps corresponding to (and of the same 

depth as) the steps in s >->- C'[zk]keK, and “inner” steps performed to 

make non- left-linear rules applicable in the successor case above. The inner 
steps are all performed at a depth greater than that of the non-left-linear 
outer step that prompted them. Hence, the resulting derivation is strongly 
convergent; the demand on the descendant relation is clearly satisfied. □ 

Lemma 5. Let TZ he a set of non-collapsing iTRSs and let s = C\si\^^j-. 

Assume that outer derivation and the Si are confluent for all f G X, and let 

he a peak. Then there exists a valley 

t s' f'. 

Proof. Apply Propositions 14 and 15 twice: 






ei 



DM 



i&c 



Prop. 14 



C[x 



i\i^X 



D[yMc 



Prop. 14 



Prop. 15 



D'[y[i]i'^c C'[zkMK 



fce/c 



Prop. 15 



rk ~ Tfc 






c'lM 



k&IC 



c'lM 



keK 




198 



Jakob Grue Simonsen 



For the lower right rectangle, observe that the demand on the descendant re- 
lations in Propositions 14 and 15 ensure that and are descendants of the 
same Si for all k G K.. Since the Si were confluent, we get ~ rj. for all k G K.. 
An application of the Dovetailing Lemma yields that performing the |/C| deriva- 
tions needed to obtain C'[[sy from C'[rk] (resp. C"[r^]) can be done in a strongly 
convergent fashion. □ 

We now have the second positive result of this paper: 

Theorem 2. Let TZ he a set of non-eollapsing, eonfluent iTRSs. Then, every 
term s over Si with finite rank is eonfluent. 

Proof. By induction on rank(s). If rank(s) = 0, the result follows immediately, 
since monochrome terms were assumed to be confluent. If rank(s) > 0, note 
that outer derivation is confluent, as are all principal subterms of s, since they 
have rank strictly less than rank(s). The result follows by an application of 
Lemma 5. □ 

Systems containing collapsing rules exhibit severe technical complications 
that appear to be solvable neither with the techniques presented herein, nor 
with the standard techniques from flnitary rewriting [9, 14]. 

6 Weakly Convergent Rewriting 

In the previous sections, we have considered strongly convergent derivations. The 
more general setting of weak convergence is not very well understood, and sports 
far fewer auxiliary results. A major hurdle in this setting is that it is not clear 
how to define a suitable descendant relation. To appreciate the impact of this 
on the study of modularity, observe that the techniques of flnitary rewriting, as 
well as those in this paper, depend crucially on the property of non-collapsing 

rewriting that, in a derivation s ►► t, we can identify principal subterms of 

t with descendants of principal subterms of s. This is lost in weakly convergent 
rewriting, to wit the following example: 

Example 2. We give an example of a weakly convergent derivation s — t 
such that, for a principal subterm t^ of t, there is no principal subterm Si of 

s satisfying Si ►► tj. Let Rq = {a(x) — > b(x)} and let Ri by the system 

consisting of the following infinite set of rules: 

f(x,g'=(c),d(y, 2 :)) > f(j/,g'=+i(c),z) for fc G w 

Clearly, the two systems are disjoint, and both are orthogonal. Let s = d(a“, s) 
and ponder the term: 

f(a(c), g(c), d(a(c), d(a(a(c)), d(a(a(a(c))), d(- • • ))))) 

from which there is a weakly convergent derivation having limit f (a“ , g“ , s) 
(contract redexes at position e repeatedly) . But there is no principal subterm, Si 
of the starting term such that a weakly convergent derivation Si — a‘^ exists 
for any ordinal j3. □ 
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Abstract. Restrictions of rewriting can eventually achieve termination 
by pruning all infinite rewrite sequences issued from every term. Context- 
sensitive rewriting (CSR) is an example of such a restriction. In CSR, 
the replacements in some arguments of the function symbols are perma- 
nently forbidden. This paper describes mu-term, a tool which can be 
used to automatically prove termination of CSR. The tool implements 
the generation of the appropriate orderings for proving termination of 
CSR by means of polynomial interpretations over the rational numbers. 
In fact, MU-TERM is the first termination tool which generates term or- 
derings based on such polynomial interpretations. These orderings can 
also be used, in a number of different ways, for proving termination of 
ordinary rewriting. Proofs of termination of CSR are also possible via 
existing transformations to TRSs (without any replacement restriction) 
which are also implemented in mu-term. 



1 Introduction 

Context-sensitive rewriting {CSR [12]) is useful for describing semantic aspects 
of a number of programming languages (e.g., Maude, 0BJ2, 0BJ3, or CafeOBJ) 
and analyzing the computational properties of the corresponding programs, in 
particular termination (see [11]). Termination of CSR can also be used to prove 
top-termination of TRSs and to easily define normalizing reduction strategies 
[12]. Termination of CSR has also been related to termination of some (auxiliary) 
evaluation modes of functional languages like Haskell (see [9]). 

In CSR, a replacement map p, discriminates, for each symbol of the signature, 
the argument positions p{f) on which the replacements are allowed. 

Example 1. Consider the TRS TZ: 

nats — > cons (0, incr (nats) ) incr(cons(x,xs) ) — >■ cons(s(x) ,incr(xs)) 

pairs — cons (0, incr (odds) ) head(cons(x,xs)) — >■ x 

odds — > incr (pairs) tail (cons (x, xs) ) — >■ xs 
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with /x(cons) = {1} and /t(/) = {1, . . . ,ar(/)}, for any other symbols / in the 
signature. The infinite sequence nats — > cons (0 , incr ( nats ) ) —>■••• is not 
possible with CSR because of ^{cotis) = {1}. 

Automatic proofs of termination are always desirable although difficult. Several 
methods have been developed for proving termination of CSR under /i for a given 
TRS TZ (i.e., for proving the ^-termination of TZ). However, no tool for proving 
termination of CSR has been reported to date. Our tool, mu-term, is intended 
to fill this gap. Two main approaches to prove termination of CSR have been 
investigated in the literature so far: 

1. Indirect proofs which are based on transforming the problem of proving ter- 
mination of CSR into a proof of termination of rewriting. For instance, 
[5,8,9,10,16] describe a number of transformations 0 from TRSs TZ and 
replacement maps /i that produce TRSs TZq. If we are able to prove ter- 
mination of TZq (using the standard methods), then the yr-termination of 
TZ is ensured. Our tool implements all these transformations and also pro- 
vides interfaces for the use of external tools for proving termination (of TZq)\ 
AProVE^, CiME^, Termptation^, and the Tyrolean/Tsukuba Termination Tool‘d 
(TTT). 

2. Direct proofs, which are based on using /r-reduction orderings (see [16]) such 
as the (context-sensitive) recursive path orderings [3], polynomial orderings 
[7,14], semantic path orderings [4], and Knuth-Bendix orderings [4]. These 
are orderings > on terms which can be used to directly compare the left- 
and right-hand sides of the rules in order to conclude the /x-termination of 
the TRS. The mu-term tool implements automatic proofs of termination of 
CSR by using the polynomial interpretations over the rational numbers of 
[14]. 

The modular analysis of termination of CSR described in [6] can also be used: 
MU-TERM attempts a safe decomposition of the TRS in such a way that the 
components satisfy the modularity requirements described in [6]. If it succeeds 
in performing a non-trivial decomposition (i.e., mu-term obtains more than 
one component), then individual proofs of termination are attempted for each 
component. 

The tool can also be used for proving termination of rewriting in a number 
of ways. This is because term rewriting is a particular case of CSR where the re- 
placement map P‘T{f) = {Ij • ■ • ) (If if)}, for all symbols / in the signature is used. 
Polynomials over the rationals [14] are used to generate appropriate reduction 
orderings. As far as the author knows, mu-term is currently the only termi- 
nation tool which uses such kind of polynomials. On the other hand, ‘proper’ 
/X- reduction orderings (where /x can be different from /xy) based on such polyno- 

^ http : // WWW- i2 . inf ormat ik . rwth- aachen . de/ APr oVE 
^ http : / /cime . Iri . f r 
® http://www.lsi.upc.es/~albert 
http : / / cl2-inf ormatik.uibk. ac . at 
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Fig. 1. Screenshot of the main window of mu-term 



mial interpretations are also used together with the dependency pairs approach 
[1] to prove termination of rewriting. 

The MU-TERM system is available at 

http : //www . dsic . upv . es/"slucas/ csr/termination/muterm 



2 Interface and Fnnctionality 

MU-TERM has a graphical user interface (see Figure 1). In the following, we 
explain the funcionalities of the tool. 

Menu File, mu-term holds a list of TRSs (possibly with the corresponding 
replacement maps) which can be modified and transformed. The TRS which 
is displayed in the main window is called the current TRS. mu-term uses the 
current TRS to perform most actions selected by the user: prove termination, 
transform, etc. 

TRSs can be loaded from files containing the rules in the ‘simple format’ 
I -> r, where I and r are terms in the usual prefix syntax (infix operators are 
not allowed) with arguments enclosed between ‘(’ and ‘)’ and separated by In 
this format, variable identifiers begin with a capital letter. TRSs are introduced 
in the system from text files via menu File; after successfully reading the file, 
the TRS becomes the current TRS. 

The system is also able to deal with modules following a subset of the full 
OBJ / Maude grammar. The advantage is that, in contrast to the simple format 
(which needs a second phase for the introduction of the replacement map, see 
below), we are able to specify the replacement map at once, by means of the 
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OBJ / Maude strategy annotations. For instance, the TRS TZ of Example 1 was 
introduced as the OBJ / Maude module showed in Figure 1, where the strategy 
annotation (1 0) for cons is interpreted by /t(cons) = {1} (i.e., zeros in strategy 
annotations are just removed) . 

On the other hand, the user is allowed to display and save the current TRS 
in(to) a number of different formats which permit to export TRSs to AProVE, 
CiME, Termptation, TTT, and to the format of the Termination Problems Data 
Base^ (TPDB). 

Panel Termination of CSR (direct proof). The tool implements the techniques 
described in [14]. A proof of /x-termination of a TRS TZ is transformed into 
the problem of solving a set of constraints over the (unknown) coefficients of a 
polynomial interpretation for the signature of TZ. An interesting feature of our 
technique is that we generate polynomial interpretations with rational coeffi- 
cients. For instance, such rational coefficients permit to deal with the lack of 
monotonicity in the non-replacing arguments of symbols which can be necessary 
to prove termination of CSR (see [14] for further details and below for an exam- 
ple). This can be achieved by using rational coefficients q with 0 < g < 1 in the 
monomials which correspond to non-replacing arguments (see [14, Section 5]). 

In order to try a direct proof of the yx-termination of a TRS TZ, mu-term 
builds polynomial interpretations with undefined (rational) coefficients for each 
symbol of the signature. We are able to deal with four different kinds of polyno- 
mial interpretations: linear, simple, simple-mixed (see [15]) and quadratic. Then, 
according to the technique described in [14, Section 5], mu-term automatically 
generates a set of Diophantine constraints on the undeterminate coefficients of 
the polynomial interpretations. Solving such constraint implies that the system 
is /x-terminating and the solution yields the polynomial interpretation which 
induces the corresponding polynomial ordering. 

We use CxME as an auxiliary tool to solve the constraints generated by the 
system. Our choice of CxME is motivated by the availability of a language for 
expressing Diophantine constraints, and commands for solving them. This is 
present in CfME but currently missing (or unavailable) in other termination 
tools which (internally) may use similar constraint solvers for dealing with poly- 
nomial orderings (e.g., AProVE). CxME, however, is only able to solve Diophan- 
tine inequations yielding nonnegative integers as solutions, mu-term deals with 
the task of making the use of rational numbers compatible with this limitation: 
given a Diophantine constraint e\ > 62 containing an occurrence of - in ei 
(or 62 ), we obtain an equivalent constraint q ■ e\ > q ■ 62 . Then, we propagate 
the multiplication of q to all coefficients in ei and 62 , thus removing the occur- 
rences of q in the denominator of any rational coefficient involving it. We repeat 
this simplification process until no rational coefficient is present. In fact, each 
‘rational’ coefficient is internally handled as a pair of integers. When a polyno- 
mial interpretation involving such coefficients is displayed, mu-term uses the 
notation p/q. We provide two ways to implement the connection with CzME: 

® See http : //www. Iri . fr/ marche/wst2004-competitioii/format .html 
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1. Automatic connection. This only works with systems where CiME is directly 
available (Windows, MacOS X, . . . ). The constraints generated by MU-term 
are sent to CiME; the answer is automatically processed by mu-term to 
show the polynomial interpretation (with rational, nonnegative coefficients) 
which proves the /i-termination of TZ. For instance, the /i-termination of TZ 
in Example 1 can be automatically proved in this way (see Figure 2). 




Fig. 2. Polynomial proof of /r-termination of TZ in Example 1 

2. User-assisted connection. If CfME is not available on the computer that runs 
MU-TERM, it is still possible to remotely use CiME. For this purpose, the 
tool can provide a CzME version of the appropriate constraint. The user 
would, then, deal with the necessary communication with CiME to achieve 
any possible proof of termination. Again, as far as we know, other available 
tools for proving termination of rewriting (e.g., AProVE, Termptation, TTT, 

. . . ) do not provide any means to direcly solve constraints generated by an 
external system like mu-term. 

If the modular proofs are activated, then mu-term computes a maximal safe de- 
composition of the current system (according to the results in [6] , which concern 
disjoint and constructor sharing systems) and separately proves termination of 
each module by computing the appropriate polynomial interpretations. 

Panel Transformations. Here we can apply different transformations for proving 
termination of CSR. Each of them transforms the current TRS; the current 
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TRS, however, remains unchanged (the transformed system is added to the list 
of TRSs) . This permits to easily apply many transformations to the same current 
TRS. Available transformations correspond to [5,9,10,16] for proving termination 
of CSR. As an example, the ^-termination of the following TRS Exl_Zan97 [16, 
Example 1]: 

g(x) — >■ h(x) c — >■ d 

h(d) — 5> g(c) 

(with /r(g) = /i(h) = 0) cannot be directly proved by using a linear, simple, 
simple-mixed, or quadratic polynomial interpretation with nonnegative coeffi- 
cients. However, it is possible to prove the /x-termination of TZ by using Giesl 
and Middeldorp’s transformation in [9] to obtain a TRS Exl_Zan97_GM 

a__g(X) -5> a__h(X) mark(h(X)) -S- a__h(X) a__g(X) g(X) 

a c — >■ d mark(c) — >■ a c a h(X) — >■ h(X) 

a h(d) — a g(c) mark(d) — > d a c — >■ c 

mark(g(X)) — > a g(X) 

which can be proved terminating with mu-term also (see below). 

Again, if the modular proofs are activated, then mu-term uses the computed 
maximal decomposition of the current system to individually apply the trans- 
formations. Then, if the transformed system becomes the current TRS and the 
user tries a proof of termination, the proof will be individually attempted for 
each transformed component. Note that this does not mean that TZ^ itself ad- 
mits a safe modular decomposition (normally, this is not the case, see [6] for a 
deeper discussion) but only that we take indirect benefit from the possibility of 
decomposing the original system TZ. 

Regarding termination of innermost CSR [11], we implement the correct and 
complete transformation of [8] . Some of the aforementioned transformations are 
also correct for proving termination of innermost CSR (see [8,11]), i.e., if the 
innermost termination of the transformed system can be proved, this implies 
the innermost termination of CSR for the original one. 

We also include a transformation between pairs of TRSs and replacement 
maps which permits to prove termination of lazy rewriting as termination of 
CSR (see [13]). This transformation, however, does not benefit from any modular 
decomposition, since (as far as the author knows) modularity of termination of 
lazy rewriting has not been investigated yet. 



Panel Termination of rewriting. Term rewriting is a particular case of CSR 
where the (top) replacement map HtH) = ■ ,ar{f)}, for all f G is 

used. Thus, the polynomial /xr-reduction orderings generated by mu-term as 
explained above can also be used to prove termination of rewriting. We can use 
this fact, for instance, to prove termination of the TRSs which are obtained from 
the aforementioned transformations. For instance, Exl_Zan97_GM above can be 
proved polynomially terminating with mu-term (see Figure 3). 

On the other hand, in [1,2], Arts and Giesl discuss the use of weakly mono- 
tonic and non-monotonic orderings for proving termination of TRSs in combi- 
nation with the dependency pairs approach. We have implemented the use of 
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Fig. 3. Polynomial termination of rewriting with mu-term 



polynomial interpretations over the rationals to generate weak and /r-monotonic 
orderings (where monotonicity is required only for the arguments of / belonging 
to see [16]) which are suitable to be used together with the dependency 

pairs approach for proving termination of rewriting. For instance, in Figure 4 we 
show a proof of termination of the TRS ExNatsOddsPairs_GM obtained from the 
CSRS TZ (labelled ExNatsOddsPairs when loaded into mu-term) of Example 1. 
Note the new symbols with prefix nF_ which correspond to the ‘tuple’ symbols 
introduced by the computation of the dependency pairs (see [1]). 

Once again, if the modular proofs are activated, then mu-term uses the 
computed maximal decomposition of the current system to perform the cor- 
responding (polynomial or dependency-pairs based) proofs. This is because the 
modularity results for CSR [6] boils down to valid (and known) results for rewrit- 
ing when the top replacement map /ry is considered. 

Additionally, we also provide a connection to direcly use the termination 
expert of CfME (rather than its constraint solver) in its different modalities. 

Panel Replacement map. The controls in this panel permit to initialize / display 
/ modify the replacement map associated to the current TRS. We provide a 
number of different ways to initialize a replacement map: the top replacement 
map /tt Euid the least replacement map fij_ (with ia±{f) = 0 for every symbol 
/ of the signature) are the simplest ones, mu-term also permits to specify the 
canonical replacement map of TZ which is the most restrictive replacement 
map ensuring that the non-variahle subterms of the left-hand sides of the rules 
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The TRS ExNatsOddsPairs_GM Proof of termination with mu-term 



a nats — >■ cons (0 , incr (nats) ) 

a pairs — >■ cons (0, incr (odds) ) 

a odds — >■ a incr (a pairs) 

a incr (cons (X,XS) ) 

— >■ cons (s (mark(X) ), incr (XS) ) 

a head(cons (X,XS) ) — ^ mark(X) 

a tail (cons (X,XS) ) — ^ mark(XS) 

mark(nats) — >■ a nats 

mark (pairs) — >■ a pairs 

mark(odds) — >■ a odds 

mark(incr (X) ) — >■ a incr (mark(X) ) 

mark(head(X) ) — >■ a head(mark(X) ) 

mark(taiKX) ) — >■ a tail (mark(X) ) 

mark(O) — >■ 0 
mark(s(X)) — >■ s(mark(X)) 
mark(nil) — > nil 
mark(cons (XI ,X2) ) 

— >■ cons(mark(Xl) ,X2) 

a nats — > nats 

a pairs — >■ pairs 

a odds — >■ odds 

a incr(X) — >■ incr(X) 

a head(X) — >■ head(X) 

a tail(X) — >■ tail(X) 




Fig. 4. Termination with dependency pairs and polynomials over the rationals 



of TZ are replacing [12]. The class of replacement map which is currently being 
used is indicated with a colour code: red for the least replacement map, blue 
for the top one, green if the replacement map is greather than or equal to the 
canonical replacement map, and gray in any other case. 

Once a replacement map has been initialized (or was already given, for in- 
stance, by loading an OBJ/Maude module), it is possible to modify it by double 
clicking on the corresponding symbol and appropriately setting the arguments 
as replacing or non-replacing. 



3 Use of MU-TERM 

MU-TERM is written in Haskell®, and wxHaskell^ has been used to develop the 
graphical user interface. The system consists of around 30 Haskell modules con- 
taining more than 4000 lines of code. Compiled versions and instructions for the 
installation are available on the mu-term WWW site. 



See http : / /haskell . org/ 

^ See http://wxhaskell.sourceforge.net 
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We have used mu-term for developing the experiments reported in the fol- 
lowing WWW page: 

http : //www . dsic . upv . es/~slucas/ csr/ termination/examples 

where we have collected almost all published examples of non-terminating TRSs 
which can be proved /x-terminating for concrete replacement maps fx. We consider 
more than 40 examples (out from around 20 different references) which were 
managed with mu-term for either attempting a direct proof of termination 
or eventually transforming them to try a proof with either mu-term or other 
external termination tool. 

4 Conclusions and Future Work 

We have presented mu-term, a tool for proving termination of context-sensitive 
rewriting. The tool is written in Haskell and has a graphical user interface. 

As far as the author knows, mu-term is the first implementation of a tech- 
nique for proving termination of CSR; moreover, mu-term implements the first 
method for directly proving termination of CSR and also can benefit from the 
modular structure of the system by automatically decomposing it into mod- 
ules which can be separately proved terminating. The tool can also be used for 
proving termination of rewriting. In this sense, mu-term is the first tool which 
implements reduction orderings based on polynomial interpretations over the 
rational numbers. It is also the first tool which makes use of such polynomi- 
als for the automatic generation of reduction pairs which can be used to prove 
termination of rewriting by using the dependency pairs approach. 

Future extensions of the tool will address the problem of efficiently using 
negative coefficients in polynomial interpretations (see [14, Section 5.3] for fur- 
ther motivations and discussion) . We also plan to investigate new families of real 
functions which are well-suited for automatization purposes. We will focus on 
those functions which can also be used to prove termination of CSR, by intro- 
ducing mechanisms for loosing monotonicity in some arguments. In particular, 
polynomial fractions were proposed in [14] as suitable candidates for this pur- 
pose. In all these cases, however, more research is necessary before being able to 
provide reasonable techniques for dealing with these kind of functions. Another 
promising line of work is the implementation of the CS-RPO. 

We plan to improve the generation of reports and the inclusion of new, richer 
formats for input systems (e.g.. Conditional TRSs, Many sorted TRSs, TRSs 
with AC symbols, etc.). We also plan to directly connect mu-term with AProVE. 
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Abstract. We describe the system ProVE, an automated prover to ver- 
ify (innermost) termination of term rewrite systems (TRSs). For this 
system, we have developed and implemented efficient algorithms based 
on classical simplihcation orders, dependency pairs, and the size-change 
principle. In particular, it contains many new improvements of the de- 
pendency pair approach that make antomated termination proving more 
powerfnl and efficient. In ProVE, termination proofs can be performed 
with a nser-friendly graphical interface and the system is currently among 
the most powerful termination provers available. 



1 Introduction 

The system AProVE (Automated Prog ram Verification Environment) offers a va- 
riety of techniques for automated termination proofs of TRSs: First, it provides 
efficient implementations of classical simplification orders to prove termination 
“directly” {recursive path orders possibly with status [6,19], Knuth-Bendix or- 
ders [20], and polynomial orders [22]), cf. Sect. 2. To increase the power of auto- 
mated termination proofs, we implemented the dependency pair technique [2, 13] 
in AProVE which allows the application of classical orders to examples where au- 
tomated termination analysis would fail otherwise (Sect. 3). In contrast to most 
other implementations, we integrated numerous refinements such as narrowing, 
rewriting, and instantiation of dependency pairs [2,12,14,15], recent improve- 
ments to reduce the constraints generated by the dependency pair technique [14, 
15, 28], etc. Therefore, AProVE succeeds on many examples where all other auto- 
mated termination provers fail. Thus, the principles used in AProVE’s implemen- 
tation may also be very helpful for other tools based on dependency pairs (Arts 
[1], CiME [5], TTT [18]) or on other related approaches for termination of TRSs 
(Termptation [4], Cariboo [10]). Apart from direct termination proofs and de- 
pendency pairs, as a third termination technique, AProVE offers the size-change 
principle [23] and it is also possible to combine this principle with dependency 
pairs [27] (Sect. 4). The tool is written in Java and proofs can be performed both 
in a fully automated or in an interactive mode via a graphical user interface. The 
modular design of AProVE’s implementation is explained in Sect. 5. In Sect. 6 
we show how to run the system and compare AProVE with related tools. 



V. van Oostrom (Ed.): RTA 2004, LNCS 3091, pp. 210-220, 2004. 
© Springer- Verlag Berlin Heidelberg 2004 
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2 Direct Termination Proofs 

This section describes the base 
orders of AProVE which can 
be used for direct termi- 
nation proofs, but also for 
proofs with constraint gener- 
ation techniques like depen- 
dency pairs or the size-change 
principle. 

In direct termination proofs, 
the system tries to find a reduc- 
tion order where all rules are 
decreasing. The following path 
orders are available: the em- 
bedding order (EMB), the lexi- 
cographic path order (LPO, [19]), the LPO with status which compares subterms 

lexicographically w.r.t. arbitrary permuta- 
tions (epos), the recursive path order com- 
paring subterms as multisets (RPO, [6]), and 
the RPO with status which combines EPOS and 
RPO (RPOS). 

Path orders may be parameterized by a 
precedence on function symbols and a status 
which determines how arguments of function 
symbols are compared. To explore the search 
space for these parameters, the system leaves 
them as unspecified (or “mmimaZ”) as possi- 
ble. The user can decide between depth-first 
or breadth-first search and one can configure path orders by deciding whether 
different function symbols may be equivalent w.r.t. 
the precedence (“Nonstrict Precedence”). It is 
also possible to restrict potential equivalences to cer- 
tain pairs of function symbols. 

AProVE also offers Knuth-Bendix orders (KBO, 

[20]) using the polynomial-time algorithm of [21] and 
the technique of [9] to compute the degenerate sub- 
system of homogeneous linear inequalities. 

The last class of orders in AProVE are polynomial 
orders (POEO, [22]) where every function symbol is as- 
sociated with a polynomial with natural coefficients. 

The user can specify the degree of the polynomials 
and the range of the coefficients. One can also pro- 
vide individual polynomials for some function sym- 
bols manually. To prove termination, AProVE gener- 
ates a set of polynomial inequalities stating that left- 
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hand sides of rules should be greater than the corresponding right-hand sides. 
By the method of partial derivation [11,22], these inequalities are transformed 
into inequalities only containing coefficients, but no variables anymore. Finally, 
a search algorithm determines suitable coefficients that satisfy the resulting in- 
equalities. The user can choose between brute force search, greedy search, a 
genetic algorithm, and a constraint-based method based on interval arithmetic, 
which is the preferred one in most examples. 

To improve power and efficiency of au- 
tomated termination proofs, one can apply 
a pre-processing step to remove rules from 
the TRS that do not influence the termi- 
nation behavior. When selecting “Remove 
Redundcuit Rules”, AProVE tries to find a 
monotonic order such that the rules of 
the TRS TZ are at least weakly decreasing 
(i.e., at least / ^ r for all Z — >• r € 7?.). 

Then rules which are strictly decreasing are 
removed, i.e., it suffices to prove termination 
of 7^ \ {/ — >■ r I I >- r}. This extends exist- 
ing related approaches to remove rules [16, 

22,30]. 

For this pre-processing, we use linear 
polynomial interpretations with coefficients from {0, 1}. (In the screenshot above, 
we mapped s(a;) to a; -I- 1 and half and log to the identity.) AProVE’s algorithm 
for polynomial orders solves constraints where some inequalities are strictly de- 
creasing and all others are weakly decreasing in just one search attempt without 
backtracking [15]. So removal of rules can be done very efficiently and it is re- 
peated until no rule can be removed anymore. 

3 Termination Proofs with Dependency Pairs 

The dependency pair approach [2, 13] increases the power of automated termi- 
nation analysis significantly. The root symbols of left-hand sides of rules are 
called defined and all other symbols are constructors. For each defined symbol 
/ we introduce a fresh tuple symbol F. Then for each rule /(si,...,s„) — >■ r 
and each subterm g(ti, of r with defined root g, we build a dependency 

pair F"(si, ..., s„) — >■ G(7i, ..., tm)- To prove termination one has to find a weakly 
monotonic order such that s t for all dependency pairs s — >■ t and I ^ r for 
all rules I — >■ r. For innermost termination, Z ^ r is only required for the usable 
rules of defined symbols in right-hand sides of dependency pairs. The usable 
rules for / are the /-rules together with the usable rules for all defined symbols 
in right-hand sides of /-rules. Moreover, if F is Cg-compatible (which holds for 
all orders in Sect. 2), then even for termination one only has to require I ^ r for 
the usable rules [28]. 
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log(s(0)) - > 0 
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General Options and Base Order 

In AProVE, one can 
select whether to use 
dependency pairs for 
termination or for in- 
nermost termination 
proofs. The system 
also checks if a TRS 
is non-overlapping 
(then innermost ter- 
mination implies ter- 
mination). AProVE 
contains recent im- 
provements which 
combine different 
modularity criteria 
and reduce the set of 



off for experimental 
purposes. To search 
for orders one can 
select any base order 
from Sect. 2. 

Argument Filter 

However, most of these orders are strongly monotonic, while the dependency pair 
approach only requires weak monotonicity. (For polynomial orders, a weakly 
monotonic variant is obtained by permitting the coefficient 0. But LPO(S), 
RPO(S), and KBO are always strongly monotonic.) Thus, before searching for 
an order, some of the arguments of the function symbols in the constraints can 
be eliminated by an argument filtering tt [2]. For example, a binary function 
symbol / can be turned into a unary symbol by eliminating /’s first argument. 
Then tt replaces all terms /(ti,t 2 ) in the constraints by /(t 2 )- Hence, we can 
obtain a weakly monotonic order from a strongly monotonic order and an 
argument filtering tt by defining s t iff 7t(s) 7r(f). Moreover, we developed 

an improvement by first applying the argument filtering and determining the us- 
able rules afterwards [14, 28] . The advantage is that the argument filtering may 
eliminate some symbols / from the right-hand sides of dependency pairs and 
rules. Then, one does not have to require I for the /-rules anymore. For 
this improvement, one has to select “Improved DPs” in the General Options. 

As there are exponentially many argument filterings, this search space must 
be explored efficiently. AProVE uses a depth-first algorithm [14] which treats the 

^ Currently, the results of [28] are only available in AProVE 1.1-beta, which does not 
yet contain all options of AProVE 1.0. AProVE 1.1 will combine their features. 



usable rules [14,28].^ 
They can be switched 
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constraints one after another. We start with the set of argument filterings possi- 
bly satisfying the first constraint. Here we use the idea of [17] to keep argument 
filterings as “undefined” as possible. Then this set is reduced further to those 
filterings which possibly satisfy the second constraint as well. This procedure 
is repeated until all constraints are investigated. By inspecting constraints in a 
suitable order (instead of treating them separately as in [17]), already after the 
first constraint the set of possible argument filterings is rather small. Thus, one 
only inspects a fraction of all potential argument filterings. To use our refine- 
ment of filtering before computing usable rules, we also developed an algorithm 
to determine suitable filterings in this improved approach automatically, which 
is non-trivial since the filtering determines the resulting constraints. 

One can also combine the search for the argument filtering with the search 
for the base order by choosing the option “Consider Order Parameters” . Then 
the system also stores the corresponding parameters of the order for each possible 
argument filtering (e.g., a minimal set of precedences and stati, cf. Sect. 2). 

Heuristics 

To improve performance, one can use heuristics to restrict the set of possible 
argument filterings [14]. The most successful heuristic “Type” only regards ar- 
gument filterings where for every symbol /, either no argument position is elim- 
inated or all non-eliminated argument positions are of the same type. Here, we 
use a monomorphic type inference algorithm to transform a TRS into a sorted 
TRS (where in every rule I ^ r, I and r must be well-typed terms of the same 
type). 

When selecting the heuristic “EMB for DPs” , only the very simple embedding 
order is used for orienting constraints like s t which come from dependency 
pairs s ^ t. Only for constraints I t' from rules I — >■ r, one may apply 
more complicated orders like LPD, RPO(S), etc. Since our depth-first algorithm 
to determine argument filterings starts with the dependency pairs, this reduces 
the search space significantly without compromising power very much. 

This depth-first algorithm uses a top-down approach where constraints from 
/-rules are considered before g-rules, if / calls g. As an alternative heuristic, we 
also offer a “Bottom-Up algorithm” which starts with determining an argument 
filtering for constructors and then moves upwards through the recursion hierar- 
chy where g is treated before /, if / calls g. To obtain an efficient technique, here 
the system only determines one single argument filtering at each choice point, 
even if several ones are possible and it does not perform any backtracking. This 
algorithm reduces the search space enormously, but is also restricts the power, 
since the proof can fail if one selects the “wrong” argument filtering at some 
point. Thus, this heuristic is suitable as a fast pre-processing step and if it fails, 
one should still apply the full dependency pair approach afterwards, cf. Sect. 5. 

DP Graph 

For TRSs with many rules, (innermost) termination proofs should be performed 
in a modular way. To this end, one constructs an estimated (innermost) depen- 
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dency graph and regards its cycles separately [2,13]. One can select between 
standard [2] and more powerful recent estimations (EDG* / EIDG**) [15, 17]. 

For each cycle, only one dependency pair must be strictly decreasing and the 
others just have to be weakly decreasing. As shown in [17], one should not com- 
pute all cycles, but only maximal cycles (strongly connected eomponents (SCCs)). 
The reason is that the chosen argument filtering and base order may make sev- 
eral dependency pairs in an SCO strictly decreasing. In that case, subcycles of 
the see containing such a strictly decreasing dependency pair do not have to 
be considered anymore. So after solving the constraints for the initial Sees, 
all strictly decreasing dependency pairs are removed and one now builds Sees 
from the remaining dependency pairs, etc. This algorithm is chosen by selecting 
“Cycles”. The algorithm “SCCs” requires a strict decrease for all dependency 
pairs in an See and is only intended for experimental purposes. 

In order to benefit from all existing refinements on modularity of dependency 
pairs, we developed and implemented an improved technique which permits the 
combination of recent results on modularity of Cg-terminating TRSs [29] with 
arbitrary estimations of dependency graphs, cf. [14,28]. This improvement is 
only available if one selects “Improved DPs” in the General Options. 

DP Transformations 

To increase power, a dependency pair can be transformed into several new pairs 
by narrowing, rewriting, and instantiation [2,12,14,15]. In contrast to [12,14], 
AProVE can instantiate dependency pairs both w.r.t. the pairs before and behind 
it in chains (the latter is called forward instantiation) [15]. The user can select 
which of these transformations should be applicable. Usually, all transformations 
should be enabled, since they are often crucial for the success of the proof and 
they can never “harm”: if the termination proof succeeds without transforma- 
tions, then it also succeeds when performing transformations [15], but not vice 
versa. However, the problem is when to use these transformations, since they 
may be applicable infinitely often. Moreover, transformations may increase run- 
time by producing a 
large number of simi- 
lar constraints. AProVE 
performs transformations 
in “safe” cases where 
their application is guar- 
anteed to terminate [14]. 

We distinguish between 
inereasing and decreas- 
ing safe transformations. 

Decreasing transforma- 
tions delete dependency 
pairs or SCCs and there- 
fore, they do not have a 
negative impact on the efficiency. The user can disable both kinds of safe trans- 
formations. If turned on, decreasing transformations are applied before trying 
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to solve the constraints for an SCC. Increasing transformations are only used 
a limited number of times when a proof attempt fails, and then the proof is 
re-attempted again. 

Interaction 

In addition to the fully automated mode, (innermost) termination proofs with de- 
pendency pairs can be performed interactively. Here, the user can specify which 
transformation steps should be performed and for any cycle or SCC, one can 
determine (parts of) the argument filtering, the base order, and the dependency 
pair which should be strictly decreasing. The constraints resulting from such 
selections are immediately displayed, such that interactive proofs are supported 
in a very comfortable way. This mode is intended for the development of new 
heuristics and for machine-assisted proofs of particularly challenging examples. 

4 Termination Proofs with the Size-Change Principle 

A new size-change principle for termination of functional programs was pre- 
sented in [23] and extended to TRSs in [27]. A similar principle is also known for 
logic programs [8]. AProVE offers the technique of [27, Thm. 11] for size-change 
termination of TRSs using the embedding order as underlying base order. ^ 
AProVE also contains the combination of the size-change principle with de- 
pendency pairs from [27], which often succeeds with much simpler argument 
filterings and base orders than the pure dependency pair approach. Again, each 
SCC of the estimated (innermost) dependency graph is treated separately. In 
case of failure for some SCC, the dependency pairs are transformed by narrow- 
ing, rewriting, or instantiation and the proof attempt is re-started. If the user 
has selected the “hybrid” algorithm, then the pure dependency pair method is 
tried as soon as the limits for the transformations are reached. Thus, then the 
combined method is used as a fast technique which is checked first for every 
SCC and only if it fails, one uses the ordinary dependency pair approach on this 
SCC. 

5 Design of AProVE’s Implementation 

All techniques of the previous two sections are SCC-processors which transform 
one SCC into a set of new SCCs: The dependency pair approach takes an SCC 
and if the constraints for this SCC can be solved using some base order, it deletes 
the strictly decreasing dependency pairs and returns the SCCs of the remaining 
subgraph. The DP transformations also produce a set of new SCCs out of a given 
one. Finally, the combination of dependency pairs with the size-change principle 
processes the SCCs of the estimated (innermost) dependency graph one by one, 
too. Therefore, all these techniques are implemented as modules which take one 

^ As shown in [27], only very restricted base orders are sound in connection with the 
size-change principle. In addition to the results in [27], the full embedding order may 
be used, where /(. . . ,Xi, . . Xi also holds for defined function symbols /. 
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see as input and return a set of Sees. So AProVE uses the following main 
algorithm, where one may choose different See-processors in Step 4 (b). 

1. Remove redundant rules of the TRS which do not influence termination. 

2. Check whether the TRS is non-overlapping. Then it is sufficient to 
prove innermost termination instead of termination. 

3. Compute initial SCCs of the estimated (innermost) dependency graph. 

4. While there are SCCs left and there is no failure: 

(a) Remove one SCC V from the set of SCCs. 

(b) Choose an SCC-processor . 

(c) Transform V with the chosen SCC-processor. 

(d) Add the resulting new set of SCCs to the remaining SCCs. 

Due to this modular structure, procedures which combine different termina- 
tion techniques can easily be implemented in AProVE. One just has to configure 
which SCC-processors should be taken in Step 4 (b). It is advantageous if one 
first tries to use fast SCC-processors which benefit from successful heuristics. In 
this way, SCCs that are easy to handle can be treated efficiently. Only for SCCs 
where these fast SCC-processors fail, one should use slower but more powerful 
SCC-processors afterwards. Examples for such termination procedures offered in 
AProVE are the hybrid algorithm described in Sect. 4 or the following “Meta 
Combination” algorithm. This algorithm is particularly useful if one does not 
want to get involved with the details of termination proving, but wants to use 
AProVE in a “black box”-mode. In Step 4 (b), it always takes the first processor 
from the following list that is applicable (i.e., that can transform the SCC V into 
a new set of SCCs different from V). Here, we use linear polynomial interpreta- 
tions with coefficients from {0, 1} and LPOs with “Nonstrict Precedence”. 

• Decreasing safe transformations 

• “DPs using Bottom-Up algorithm” with POLO and LPQ as base orders 

• Dependency pairs with the heuristic “EMB for DPs” and LPQ 

• Full dependency pair approach with POLO as base order 

• Increasing safe transformations 

6 Running AProVE and Comparison with Other Tools 

AProVE accepts four input languages: logic and (first-order) functional programs, 
conditional and unconditional TRSs. Functional and logic programs are trans- 
lated into conditional TRSs and conditional TRSs are transformed further into 
unconditional TRSs [12,24]. For logic programs, these transformations corre- 
spond to the approach of the termination prover TALP [25]. 

The results of the termination proof are displayed in html-format and can be 
stored in html- or DTEX-format. Moreover, a “System Log” describes all (pos- 
sibly failed) proof attempts. Any termination proof attempt may be interrupted 
by a stop-button. Instead of running the system on only one TRS or program, 
one can also run it on collections and directories of examples in a “Batch Mode”. 
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Compared with other recent automated termination provers for TRSs (Arts 
[1], Cariboo [10], CiME [5], Termptation [4], TTT [18]), AProVE is the only sys- 
tem incorporating improvements like automated dependency pair transforma- 
tions, applying argument filterings before usable rules, and combining modular- 
ity results based on Cg-termination with recent dependency graph estimations. 
Moreover, it offers more base orders than any other system, it can also handle 
conditional TRSs, and integrates the size-change principle. Finally, AProVE’s 
design permits the combination of powerful heuristics and different termination 
techniques as in the “Meta Combination” algorithm of Sect. 5. In addition, the 
system has a graphical user interface and a comfortable interactive component. 

The next version of AProVE will also feature AC-rewriting and we try to 
improve its performance on string rewrite systems and logic programs. Our future 
work is also concerned with extensions to handle imperative programs, higher- 
order functional programs, and context-sensitive rewriting. Moreover, we plan 
to add a component to detect programs and systems that are not terminating. 

Due to the numerous improvements developed and integrated in AProVE, it 
succeeded on more examples than any other system at the exhibition/competiti- 
on of automated termination provers at the International Termination Workshop 
2003. These results are confirmed by the following experiments, where we give 
an empirical comparison of AProVE 1.0 (using the “Meta Combination” algo- 
rithm) with the only two other tools currently available on the web (CiME and 
Termptation). The tools were tested on the collections of [3,7,26] (130 TRSs for 
termination, 151 TRSs for innermost termination). To show that the techniques 
described in [18] are a substantial restriction, in the last row we ran AProVE 
in a mode where we switched off all improvements and only used the methods 
available in [18]. Since [18] contains several base orders and argument filtering 
heuristics, we took the ones which gave the best overall result on this collection. 





Termination 


Innermost Term. 


System 


Power 


Time 


Power 


Time 


AProVE 


95.4 % 


26.2 s 


98.0 % 


34.3 s 


CiME 


71.5 % 


660.7 s 


— 


— 


Termptation 


65.4 % 


521.8 s 


72.8 % 


681.7 s 


AProVE with techniques of [18] 


52.3 % 


679.1 s 


— 


— 



The “Power” column contains the percentage of those examples in the collection 
where the proof attempt was successful. The “Time” column gives the overall 
time for running the system on all examples of the collection (also on the ones 
where the proof attempt failed). For each example we used a time-out of 60 
seconds on a Pentium IV with 2.4 GHz and 1 GB memory. For more details 
on the above experiments and to download AProVE, the reader is referred to 
http : //www-i2 . informatik.rwth-aachen.de/AProVE. 
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Abstract. We explore an alternative for metric limits in the context 
of infinitary lambda calculus with transfinite reduction sequences. We 
will show how to use the new approach to get calculi that correspond 
to the 111, 101 and 001 infinitary lambda calculi of Kennaway et al, 
which have been proved to correspond to Berarducci Trees, Levy-Longo 
Trees and Bohm Trees respectively. We will identify subsets of the sets of 
meaningless terms of the metric calculi and prove that the approximation 
based calculi are equivalent to their metric counterparts up to these 
subsets. 

Keywords: lambda calculus, infinitary rewriting. 



1 Introduction 

There exist two approaches to infinitary rewriting: complete developments of 
infinite sets of redexes on infinite terms (see [Cor93]) and transfinite reduction 
sequences where one assigns a limit to an infinite reduction sequence and then 
starts again (see [KdV03] for an overview). We follow the latter approach. 

Transfinite reduction sequences have been studied in both the context of 
term rewriting systems ([DK89,KKSdV93,KKSdV95b]) and in the context of 
the lambda calculus ([KKSdV95a,KKSdV97]). In this line of work, the basic 
means of assigning a result to an infinite sequence is to view the set of infinite 
terms as a metric space and use the metric limit. On top of this basic principle 
a lot of fine tuning can be done. The approach works well, but it is not very 
elegant in the sense that we cannot assign a result to every infinite reduction 
sequence. Therefore, we have explored an alternative means of assigning a result 
to an infinite sequence: the limes inferior (liminf). We have also explored how to 
fine tune the concept. 

Important notions for this paper are the depth of a sub-term in a term and 
prefix of a term. The default definition of depth of a sub-term in a term is the 
number of symbols between the top symbol of the sub-term and the top of the 
term. A prefix of a term t is a finite term smaller than t in the <a order induced 
by 12 <17 s, for any term s. Note that we use 12 as a constant rather than as a 
term. Also note that where we use fl the constant T is often used instead. 
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To illustrate some of the concepts in infinitary rewriting, we will use the 
classical ABC term rewriting example: 

A{X) X 

b\x) X 
C A{B{C)) 

Note that we can reproduce the behavior of this TRS in the lambda calculus by 
interpreting A, B and C as follows: 

A{x) = {Xu.x)A B{x) = (Am.x)B C = {Xu.A{B{uu))) {Xu.A{B{uu))) . 

As a simple example, consider the infinite sequence 

C A{B{C)) A{B{A{B{C)))) 

The result of this sequence is = A{B{A{B{- ■ ■)))). This may be denoted 
C — >■“ AB‘^. Likewise, the result of 

C A{B{C)) A{C) A{A{B{C))) A{A{C)) 

is A‘^ = A{A{- ■ •)). We also have C — B^ . All of these results are metric limits. 
The sequence 

C A{B{C)) B{C) A{B{C)) B{C) ^ C ^ • (1) 

does not have a metric limit. To get its liminf, we look at the sets of prefixes of 
these terms: 

{c, c},{n, A{n),A{B{n)),A{B{c))}, {f?, B{n),B{c)}, {c, c}, • • • 

The only prefix which is present in all sets in a tail of the sequence is f2. Thus, 
the liminf of this sequence is f2. Likewise, the sequence 

A{C) A{A{B{C))) A{A{C)) A{C) 

has no metric limit, but its liminf is A{f2). 

To deal with sequences that do not have a limit, several metric calculi use 
the notion of 0-active term or root active term. A term is 0-active is there exists 
an infinite reduction which contracts a redex at the root of the term infinitely 
often. For example, in (1) every redex is contracted at the root so C is 0-active. 
These metric calculi add a rule that 0-active terms can be rewritten to 17. 

Adding such a rule creates some confusion over what is the correct result 
of some sequences. For example, the term A“ is also 0-active, as shown by the 
sequence 

A“ = A(A“) ^ A“ = A(A“) ^ A“ = A(A“) ^ • (2) 

However, the limit of the terms in the sequence is A“ . This means that we have 
two candidates for the correct result of this sequence: 17 and A°°. The more 
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advanced work on metric calculi avoids this confusion by distinguishing between 
weakly and strongly converging reduction sequences. A weakly converging reduc- 
tion sequence is any reduction sequence whose limit exists. A strongly converging 
reduction sequence is a sequence whose limit exists and in which the depth of 
the redexes tends to infinity. As all redexes in (2) are contracted at the root, 
it is weakly converging sequence but not a strongly converging sequence. In the 
sequence 

^ = A{A{A‘^)) A{A‘^) = A{A{A{A‘^))) ^ • (3) 



the redexes are contracted at depths 0,1,2,---. So this sequence is strongly 
converging. We want to adhere to the strong convergence intuition, so what we 
want for our new limit is that the result of (2) is Q and that the result of (3) 
is This can be achieved by taking the liminf of the contexts in which the 
redexes are contracted (equating □ with Q). The intuition behind this choice 
is that we take the liminf of the sets of preserved prefixes, where a prefix is 
preserved if it does not overlap with the redex being contracted. So the result 
of (2) is the liminf of 17, 12, •••, which is 17. The result of (3) is the liminf of 
17,A(17),A(A(12)),---, which isA“. Because of this intuition, we will refer to our 
calculi as preservation calculi and its limit notion as preservation limit. 

The preservation limit of any sequence which contracts a redex at the root 
infinitely often becomes 17. This means that for the case of the standard depth 
function, we can replace strongly converging metric limits plus 0-active to u) rule 
by just the preservation limit. 

For non-standard depth functions the situation is slightly more complicated. 
The standard depth function increases the depth by one every time one passes 
through a function symbol. Kennaway et al. parameterized the lambda calculus 
depth with a string xyz, where x,y,z & {0, 1}. When passing through a lambda 
the depth increases by x, when passing through the left argument of an appli- 
cation it increases by y and when passing through the right argument of an 
application it increases by z. So in the term Xu.v w, the depth of w w is x, the 
depth of V is X + y and the depth of ru is a: -I- z. With this alternative notion of 
depth, we must replaced at the root by at depth 0 in the above explanations. 
Most of the theory goes through in the same way as before, but we create a 
new class of problematic terms: the 0-undefined terms: terms which contain an 
17 at depth 0. Both the metric and the liminf calculi must rewrite non-trivial 
0-undefined terms to 17. The metric calculi do so by extending the set of 0-active 
terms to a set of meaningless terms, the liminf calculi will need to add a rule. To 
see why adding a rule is necessary, consider the 001 depth notion and the term 
(Au.vu) ((Av.vv) (Av.vv)). We have 



(Au.vu) ((Av.vv) (Av.vv)) 



o-active 



> (Au.v u) f2 V f? 



0 -undefined 



> 17 



and 

(Au.vu) ((Av.vv) (Av.vv)) yv ((Av.vv) (Av.vv)) 17 

Without the 0-undefined rule confluence would have been lost in this case. 
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There are three useful calculi: 111, 101 and 001. These calculi correspond 
to Berarducci Trees ([Ber94]), Levy-Longo Trees ([Lev78]) and Bohm Trees, 
respectively. The preservation 111 calculus and the metric 111 calculus differ 
only by the lengths of reduction sequences, the end point are exactly identical. 
The 101 and 001 versions not only differ by length, but we must also take the 
end points modulo 0-undefined terms. 

Overview. The remainder of the paper is organized as follows. In Sect. 2, we 
introduce a notion of infinite term which is in between de Bruijn notation and 
sets of prefixes. In Sect. 3, we introduce the metric infinitary lambda calculi of 
Kennaway et al. using our own notation. In Sect. 4, we introduce preservation 
limits for all of the lambda calculi defined in the preceding section. In Sect. 5, we 
compare metric sequences with preservation sequences. This section is followed 
by the conclusion. 

2 Preliminaries 

When working with infinitary calculi, it is often not enough to know where in a 
term a symbol occurs, but also what symbols are above it. Thus, in our notion of 
position we also encode the symbols encountered along the way. More precisely a 
position will be a finite string of numbers, where a 1 stands for passing through a 
lambda, a 2 for the left argument of an application and a 3 for the right argument 
of an application. The empty string is denoted e. The set of positions is given 
by: 

Pos= {1,2,3}* . 

If p and p' are positions then pp' is the concatenation (as strings) of the two. If 
p is a position and s is an arbitrary symbol then ps = s. (E.g. 1 2 3 @ = @.) 

Using positions we can represent terms as suitable partial functions from 
the set of positions to the set of symbols. In order to avoid problems with 
a-conversion, we use a single A symbol and represent bound variables by the 
position of the lambda they are bound to. We will often view (partial) functions 
as relations. That is, we will switch freely between writing f{x) = y and writing 
(x,y) e /. 

Definition 1. The set of terms T°° is the set of partial functions t : Pos — s- 
|@, A} U V U Pos such that 

— Ift{p\) is defined then t{p) = A. 

— If t{p2) is defined or t{p3) is defined then t{p) = @. 

— Ift{p) = q then 3q' : qlq' = p. 

Two important sets of positions in a term t are the set of defined positions 
(2?(t)) and the set of undefined edge positions (12(f)). The former is simply the 
domain of the partial function, denoted T>{f). The latter is the set of positions 
which are not defined in the term, but their immediate predecessor is defined in 
the term. 
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Definition 2. For any term t g T°° let 

= {P I (P> s) et} ; 

I7(t) = ({pi I (p, A) et}U |p2,p3 | (p,@) g t}) \ (p | (p, s) g t} . 

The binary operator f removes a sub-term at a position. That is, it replaces 
the sub-term by f2: 

Definition 3. For any term t g and position p g Pos let 

n P = Up', s') I (p', s') e t A - V' : pp" = p'} 

We will now define how normal lambda term and context syntax in terms of 
our definition of term. The term syntax definitions are straight forward: 

Definition 4. 

M =0 

W ={(e,a;)} 

iMNj =lMlIiVl 

ti t 2 = {(e, @)} U |(2p, 2 s) I (p, s) G ti} U |(3p, 3 s) I (p, s) g fa} 
lAcc.Ml = Acc.|M] 

\x.t = |(e, A)} U |(lp, Is) I (p, s) G f A s yf x| U |(lp, e) | (p, s) g f A s = cc} 

The trick to defining contexts is to use a mapping from abstraction positions 
to variable names to control which variables are bound by which position^. 

Definition 5. A context is a tuple (f,p, □), where t is a term, p g fl{t) is the 
position of the hole in C and □ : (p | (p, A) g fj — >• V is a surjective function. 

{ti,p,a)[t 2 ] = fi U {(pp',6(s)) I (p',s) Gfa} 

(p" , z/D(p") = s 
6(s) =< ps , if s e Pos 
[ s , otherwise 

We also need substitutions. 

Definition 6. A substitution is a function u : V — >■ T°° . The application of the 
substitution a applied to a term t is given by: 

ta = {(p,s) I (p,s) G f Af fV} U (U{{{pp',ps') I (p',s') G (j(®)} I X G V A (p,a;) G f}) 

And finally we can define /3-reduction at a position in the usual way: 

Definition 7. If C = {t,p, □) is a context, x is a variable and M,N are terms 
then 

C[{Xx.M) iV] ^ C[M[x := N]] . 



^ The idea of controlling the binding in a context is not new. For example, it was 
explored in [BdVOl]. 
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3 Metric Infinitary Rewriting 

In this section, we introduce the metric infinitary lambda calculi of Kennaway 
et al. (see [KKSdV97]). Note that we have made a few minor modification to the 
presentation to allow better comparison with the preservation infinitary lambda 
calculi in the next chapter. 

The depth of a symbol in a term is derived from the length of the position. 

Definition 8. For x,y,z e {0,1}, the length \.\xyz ■ Pos — >• N o/ a position in 
an xyz calculus is given by 

|1 P\xyz = X + |p|a:y 2 
\‘^P\xyz ~ y |p|a:yz 

|3p|a:yz — Z |p|a,y2 

Terms with infinitely many symbols at the same depth are excluded in the 
metric calculi. In other words, we restrict to terms with finite levels. 

Definition 9. The set of finite level xyz terms is 

= {t 6 I ^3p,pi,p2, • • • : Vn : \pn\xyz = OAppi ■■■Pn^ T>(t)| . 

Based on the notion of length and these sets of terms, we can define a metric 
space 

Definition 10. The xyz metric is defined as 

axyz[ii,i 2 ) , otherwise 

In the metric calculi terms which are meaningless because they have an Q at 
depth 0 and terms which are meaningless because they allow an infinite reduction 
with contracts infinitely many redexes at depth 0 can be treated as the same 
thing. However, for the preservation calculi in the next chapter we need to be 
able to distinguish between them. Thus, we introduce the following 2 rewrite 
rules to deal with meaningless terms. 

Definition 11. The rewrite rules — > and — — > are given by 

^^xyz '^xyz 

t n, if 3p G I7(t) : IpIiii > 0 A \p\^zyz = 0 

t fi, if3U,Pi : t = t2 - •• A \pi\xyz = 0 

The common part in the definition of reduction sequence for the metric and 
preservation calculi is the notion of pre-reduction sequence. 

Definition 12. Given a rewrite relation R with positions, a pre-reduction se- 
quence of length a is a tuple (pi)iea), such that for alii e a ti ti+i. 

We say that the depths of the redexes tend to infinity if for all limit ordinals 
a' < a limiea/ \pi\xyz = oo. 
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In a pre-reduction sequence every terms must rewrite to its successor if it 
exists and optionally the depths of redexes must tend to infinity. A reduction 
sequence is a pre-reduction sequence where at every limit ordinal, the term is 
the “limit” of the sequence preceding it. 

Definition 13. A metric reduction sequence of length a is a pre-reduction se- 
quence ((<i)iea+i, (pi)i6a) in which the depths of redexes tend to infinity, such 
that for all limit ordinals a' < a ta' = ti. 

We now have the components necessary to define the infinitary lambda calculi 
of Kennaway et al. We have done so in Table 1. Next, we define the new bits 
needed for our preservation calculi. 



Table 1. The xyz infinitary lambda calculus 
set of terms: 

rewrite rules: — >■, -p; > 

0 ’ ooxyz ’ i^xyz 

transfinite sequences: strongly converging in d^yz metric 



4 Preserved Approximation Infinitary Rewriting 

In this section we introduce our new preservation infinitary lambda calculi. Its 
limit definition uses the standard limes inferior on sequences of sets and the 
notion of preserved part of a term. 

Definition 14. Given a limit ordinal a and sequence of sets (S'i)iea ^^6 limes 
inferior is defined as 



lim inf Si — Siz • 

tea 

The preservation limit of a reduction sequence cuts the terms a position above 
the redex (see Def. 3), which is determined by applying the so called preservation 
function to the position of the redex, and then takes the liminf of the resulting 
preserved parts of the terms: 

Definition 15. Let V : Pos — >■ Pos he a function such that Vp e Pos : v (p) 

is a prefix of p. A preservation reduction sequence of length a using is a pre- 
reduction sequence {{ti)ina+ii{Pi)ii=a), such that for all limit ordinals a' < a 

ta' = liminfie„/(tj f S/xyz{Pi))- 

The preservation functions that are needed to get behavior similar to the xyz 
infinitary lambda calculi are: 
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Definition 16. 

is given by 



Given a position p, the preserved part of p (denoted \/xyz{p)) 

\/ xyzii) = e 

\ j)\ 5 if X ^ 1 

Vxyzipl) = <1 ’ otherwise 

yxyzKP^} ^ otherwise 

Vxyz{pi) = [ 'otherwise 



The preservation calculi are defined in Table 2. In the next section, we will 
study the relation between the metric and the preservation calculi. In the re- 
mainder of this section, we will discuss briefly the Bohm tree definition of Levy. 



Table 2. The xyz preservation lambda calculus. 

set of terms: 'pziyz 

rewrite rules: > 

P ^‘xyz 

transfinite sequences: preservation sequences using \Jxyz 



In his thesis ([Lev78]) Levy defines the Bohm tree as follows 

BT(M) = {a G T I M^N, a <n uj{N)} , 

where uj{N) is the normal form of N with respect to 

{\x.M)N ^ n 
GM n 

Ax. 12 — y 12 

Infinite terms are represented as sets of finite approximations. (The order 
is generated by f2 <17 M.) He also defined what we refer to as the Levy-Longo 
tree as: 

LL(M) = {a G T I M-^N,a<n w{N)} , 

where uj{N) is the normal form of N with respect to 

(Xx.M)N ^ n 
fl M — >• 12 

As mentioned before, these trees correspond to the 001 and 101 calculi respec- 
tively. The connection between that work and this is that we could in each case 
have defined o'(fV) as the normal from of N with respect to 

{\x.M)N ^ Q 
M f2, if M ^ 12 

^xyz 
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5 Equivalences 

In this section we will prove that every metric reduction sequence is a preserva- 
tion P, Qxyz , ooxyz reduction sequence with depths of redexes tending to infinity 
and vice versa. We will also show how to construct preservation /3, Qxyz sequences 
from a preservation /3, Oxyz, ooxyz sequences and vice versa. 

The equivalence of metric reduction sequences and preservation /3, f2xyz, coxyz 
reduction sequences with depths of redexes tending to infinity is really due to 
the fact that when the depth of redexes tends to infinity the limit notions are 
the same: 

Lemma 17. // ((ti)i6Q+i, (pi)iea) is a pre-reduction sequence over R where the 
depths of the redexes tend to infinity then for any limit ordinal a' < a: 

lim ti = liminf fi t S/xyzipi) ■ 
i—¥a.' i—¥a.' 

Proof. Let Si = limi_>Q. fi, S 2 = liminfi_>a' ti and S 3 = liminfi_>a/ fi t S/xyziVi)- 
We will prove si = S 2 by distinguishing two cases: 

“C” Given (p, s) g si. By definition of limit, we can find k < a' such that for 
all j,k < j < a', we have dxyz{si,tj) < From dxyz{si,tj) < it 

follows that tj{p) = s, which implies that (p, s) g r\k<j<a'tj Q S 2 - 

“D” Given (p, s) g S 2 . By definition of liminf, we can find k < a' such that 
(p, s) G C\k<j<a'tj. If (p, s) Si then dxyz{tj,si) > 2 lPb»^ > q, which contra- 
dicts the fact that limi_>„/ fi = si. 

We will prove S 2 = S 3 by case distinction also: 

“C” Given (p, s) g S 2 . By definition of liminf, we can find ki < a' such that 
for all j,ki < j < a' {p,s) g tj. Because limi_>„/ \pi\xyz = 00, we can find 
k 2 < of such that for all j, k 2 < j < of \pj\xyz > \p\xyz- Let k = max(fcl, fe) 
then for all j, k < j < a' we have (p, s) g tj f \/xyz{Pj) and thus (p, s) g S3. 

“D” Trivial. □ 

If the limits are the same then the reduction sequences must be the same as 
well: 

Theorem 18. 1. Every metric xyz reduction sequence is a preservation xyz 

sequence with oOxyz steps. 

2. Every preservation xyz reduction sequence with oOxyz steps in which the 
depths of the redexes tend to infinity is a metric xyz reduction sequence. 

Proof. Gorollary from Lemma 17. 

The key to the translation of preservation sequences with coxyz steps to 
sequences without them is to replace these steps with subsequences of length oj, 
which do the same job. However, the sequence removes the undefinedness more 
thoroughly than the step. For example, in the 001-calculi: 

(Xx.x X x)(Xx.x X x) (Xx.x X x)(Xx.x X x)(Xx.x X x) — > f2(Xx.x x x) 
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translates to 



{Xx.x X x){\x.x X x) {Xx.x X x){Xx.x X x){\x.x X x) 



{Xx.x X x){Xx.x X x) {Xx.x X x){Xx.x x x) 



The limit of that sequence is Q instead of Q{Xx.x x x) but we do have that 
Q{Xx.x X x) > Q and we also have {Xx.x x x){Xx.x x x) — > 17. 

We say that two terms are equivalent up to 0-undefined sub-terms if there 
exists a third term to which both terms rewrite with an infinitary sequence, which 
uses only f 2 xyz steps. Thus, the following theorem implies that any sequence with 
ooxyz steps can be translated to a sequence without those steps and which ends 
in a term which is equivalent up to 0-undefined sub-terms: 

Theorem 19. Ifti -3-5 t2 is a preservation sequence then there exist 



^3 are preservation sequences. 



Theorem 19. Ifti - 3-5 t2 is a preservation sequence then there exist 

P f'^xyz i^^xyz 

a',a”,t3, such thatti -3-75 — >■“ t^ andt2 -73 — ta are preservation sequences. 

Proof. Given ((sj)jg(Q,_|_i), (pi)jgQ) with sq = G and s^ = ^2- The construction 
consists of two steps. The first step is projection of the sequence to fixyz (in- 
finitary) normal forms. The second step is the replacement of ooxyz step by j 3 
sequences. 

By -75 — we denote reduction to f^xyz (infinitary) normal form of a term. 

^^xyz ^ 

Such a reduction always exists, ends in a unique term and can have length at most 
Lo. (The set of all redexes in a term is countable and no redex can duplicate any 
other (erasure is possible).) Thus, we can find (s')jg(ct+i) such that Si s'. 

' ' ^'xyz 

Let ts = s'„. 

For every step Si s^+i in the original reduction, we construct a sequence 
between s{, and s'_|_3 by distinguishing the type of the step: 

“si Sj+i” If the redex is erased then s' = s{_^_i. Otherwise s' 



- P' — > Si+i” This redex is certainly erased so s' = s' , 1 . 

^'xyz 

••i — Si-i-i” It is possible that the redex is erased and that we have s' = 

^^xyz ^ 

s'i+i- Otherwise the step projects down to s' s'_|_^. 

In the latter case, we can find a context C with the hole at \/xyz{Pi), such 
that s' = C[uo], Uo ^ 17 and C[Q] = s'^^. Thus, there exists a sequence 

uo -jf> ui -jf> U2 ■ ■ ■ where infinitely often \ppi\xyz = 0. Hence the liminf 



of this sequence is 17. We also have 



^ xyz jPi) PPl'^ 



C[U 2 ] ■ ■ 



This construction yields a pre-reduction sequence from t\ to t^. To prove that 
this is also a reduction sequence, let us consider the limit points. These limit 
points case be of two types: 
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— A limit point which was introduced by projecting /3 or translating an ooxyz 
step. In this case the limit condition is satisfied because the subsequence is 
by construction a reduction sequence. 

— A limit point, which survived projection. That is, a limit point in the given 
sequence such that infinitely many steps in front of it were translated into 
non-empty subsequences. In this case the results follow from the observation 
that if s' - P - > - -> ■ ■ ■ in /3 > 0 steps then 

Si T xyzij^i) T S/ xyzijPPj) ■ 

In other words, the approximations preserved by a step in the original se- 
quence and preserve by rewriting to i^xyz normal form are precisely those 
approximations preserved by the sub-sequence. Hence, first projecting and 
then taking the limit has the same result as first taking the limit and then 
projecting. 

Theorem 20. If ti — >■“ is a preservation sequence then there exists a' 

such there exists a preservation sequence t\ -z ^ t 2 in which the depths 

of the redexes tends to infinity. 

Proof. By induction on the length of the sequence. 

Given the original a. If a is not a limit ordinal we can apply the induction 
hypothesis on the predecessor of a. We will now construct ordinals < a\ ... < 
a such that all redex between and a are at depth at least i. Let «o = 0. Given 
Oi, apply the induction hypothesis to the sequence up to at. Let 

P= {p\ (p,s) G tai,P = \/xyz{p), \p\xyz = *} ■ 

Not that P is a finite set. Every redex constructed after Oj has a prefix which is 
in P because every redex contracted after occurs at at least depth i. Let 

Poo = {p ^ P \ “’da' < a : Va' < P < a : p is not a prefix of p /3 V \pis\xyz > i} ■ 

For each element p of P we replace the first redex contracted below p by an 
coxyz redex contracted at position p. We can now find Oi+i such that 

Voi+i < P < a: \p0\xyz > i ■ 



6 Conclusion 

We have introduced a new notion of limit for infinitary rewriting: the preserva- 
tion limit. The new notion is more elegant in two ways. First, the limit of any 
sequence is defined. Second, the new notion captures the notion of 0-active term 
in the limit definition so it needs only 0-undefined terms in its set of meaningless 
terms. 
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For the infinitary lambda calculi and we have proved that 

metric reduction sequences can be transformed into preservation reduction se- 
quences with the same begin and end terms. We have also show that preservation 
sequences can be transformed into metric sequences with the same begin terms 
and the same end terms up to 0-undefined sub-terms. 

In [Ken92] one can find an abstraction of metric infinitary rewriting. It would 
be interesting future work to develop an abstract version of preservation infini- 
tary rewriting and compare the two, or even to develop a framework of which 
both are specific examples. 
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Abstract. In this paper we define Bohm-like trees for term rewriting 
systems (TRSs). The definition is based on the similarities between the 
Bohm trees, the Levy-Longo trees, and the Berarducci trees. That is, 
the similarities between the Bohm-like trees of the A-calculus. Given a 
term t a tree partially represents the root-stable part of t as created in 
each maximal fair reduction of t. In addition to defining Bohm-like trees 
for TRSs we define a subclass of Bohm-like trees whose members are 
monotone and continuous. 



1 Introduction 

In the theory of the A-calculus there occur three very similar trees. These are 
the Bohm trees [1], the Levy-Longo trees or lazy trees [2], and the Berarducci 
trees [3]. We call these trees the Bohm-like trees. In this paper we define Bohm- 
like trees for term rewriting system (TRSs) . We also define a subclass of Bohm- 
like trees whose members are monotone and continuous. 

The definition of Bohm-like trees for TRSs is based on the similarities be- 
tween the Bohm-like trees of the A-calculus. Given a term t a tree partially 
represents the root-stable part of t as created in each maximal fair reduction of 
t. Maximal means it is either a reduction to normal form or an infinite reduction. 
Fair means that every redex occurring in the reduction is eventually contracted. 

The actual part as represented by a particular Bohm-like tree depends on 
the definition of that tree. In the A-calculus, Bohm trees represent subterms in 
head normal form, Levy-Longo trees represent subterms in weak head normal 
form, and Berarducci trees represent all root-stable subterms. 

A root-stable part and a Bohm-like tree can become infinitely large in a 
maximal reduction. For example, if Y denotes a A-term that behaves as a fixed- 
point combinator, then 

Y{Xxy.x) \yi.Y{\xy.x) \yi.\y 2 .Y{\xy.x) ■ 

and Ayi.Ay 2 -Aj /3 is the Levy-Longo tree ofY{Xxy.x). It is also the Berarducci 

tree of Y {Xxy.x). 

Construction. To obtain a partial representation of the root-stable part of a 
term t, as created in each maximal fair reduction, we construct partial represen- 
tations of the root-stable parts as created in each finite reduction of t. That is. 



V. van Oostrom (Ed.): RTA 2004, LNCS 3091, pp. 233-248, 2004. 
(c) Springer- Verlag Berlin Heidelberg 2004 
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we construct partial representations of the root-stable parts of the final terms. 
If we construct representations for final terms of increasingly longer reductions, 
then in the limit we get a partial representation of the root-stable part of t as 
created in each maximal fair reduction. 

Approaches. There are three approaches to formalising the above limit pro- 
cess. We discuss each of these in turn. The differences between the approaches 
originate from the different ways in which they represent trees. 

Ideal Completion. In this approach unspecified subterms and a partial order 
on terms are defined first. Then, employing the partial order, trees are defined by 
means of ideal completion. That is, trees are represented by ideals. The finite and 
infinite ideals represent respectively the finite and infinite trees. Constructing the 
partial representation of the root-stable part as created in a finite reduction is 
done with the help of functions. These functions are called a direct approximant 
functions. Given a final term of a finite reduction a direct approximant function 
strips out subterms, leaving them unspecified. At least the non-root-stable sub- 
terms are stripped out. The exact definition of a direct approximant function 
depends on the particular Bohm-like tree [2,4-6]. 

Partial Functions. In this approach trees are represented as partial functions 
from the set of positions to the union of the signature and the variables. The 
partial functions with a finite and infinite domain represent respectively the finite 
and infinite trees. Given a term t, the symbol that occurs at a certain position 
in a Bohm-like tree of t is acquired by recursively reducing t and the subterms 
of the reduct of t until they are in head normal form, in weak head normal form, 
or root-stable, depending on the particular tree [1]. 

Metric Completion. In this approach a metric on terms is defined first. Then, 
trees are defined by means of metric completion of the set of terms. The terms 
and the elements created by metric completion represent respectively the finite 
and infinite trees. The Bohm-like tree of a term is obtained by means of infinitary 
rewriting in a transfinitely confluent version of the A-calculus. Rewrite rules of 
the form t ^ 1. are used to obtain transfinite confluence. The actual terms t that 
occur in the rewrite rules t — > T depend on the particular Bohm-like tree [3,7]. 

Current Approach. In this paper we use ideal completion to define Bohm-like 
trees for TRSs. However, to keep the discussion simple 

we consider only confluent left-linear TRSs. 

Gonsidering non-confluent TRSs at least requires additional clauses in Definition 
5.1, as Blom [8] and Ariola and Blom [9] show. 

Related Work. The related work can be divided into three categories. First, 
using ideal completion Boudol [10] and Ariola [11] already defined one particular 
Bohm-like tree. We discuss this tree in Example 6.11. 

Second, Kennaway, Van Oostrom, and De Vries [12] define Bohm-like trees 
for TRSs on a similar level of abstraction as we do. They use metric completion 
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and infinitary rewriting. To obtain transfinite confluence they formulate sufficient 
conditions on the terms that may occur in the rewrite rules t ^ _L. A comparison 
of their sufficient conditions and our approach is non-trivial and outside the scope 
of this paper. 

Third, Boudol [10], Blom [8], and Ariola and Blom [9] use ideal completion 
to define Bohm-like trees that are more abstract than the ones defined here. In 
their approaches, as we further explain in Sect. 5, the range of the direct ap- 
proximant functions no longer need to be terms. Their approaches offer excellent 
frameworks for studying the most abstract properties shared between Bohm-like 
trees. However, their trees no longer represent the root-stable part of a term as 
created in each maximal fair reduction. In addition, their direct approximant 
functions cannot be restricted by relating the domain and range of the functions 
with the help of partial order on terms. We use such relations when defining the 
subclass of Bohm-like trees that is monotone and continuous. 



Overview. In the rest of this paper we proceed as follows. In Sect. 2 we give 
some preliminary definitions. Then, in Sect. 3, we define unspecified subterms 
and the related partial order. In Sect. 4 we define trees, and in Sect. 5 we give 
a definition of Bohm-like trees. After this we consider a subclass of computable 
direct approximant functions. The Bohm-like trees based on these direct ap- 
proximant functions are monotone and continuous. We give the definition of the 
subclass in Sect. 6, and in Sect. 7 we prove that the trees are monotone and con- 
tinuous. In Sect. 8, the final section, we give some possible directions for further 
research. 

2 Preliminaries 

Most of the notation and concepts we use in this paper correspond to that 
in the books by Baader and Nipkow [13] and Stoltenberg-Hansen, Lindstrom, 
and Griffor [14]. In this section we summarise the most relevant notation and 
concepts. 

Given a signature S and a set of variables X, we denote by the subset of 
S whose elements have arity n. By Ter(S, X) we denote the set of terms over 
X and X. We call a term t G Ter{S^X) linear if each variable from X occurs 
at most once in t. 

If t G Ter{X, A), then Vos{t) denotes the set of positions of t. The positions 
have an associated prefix order. We say that p is a prefix of q, denoted p < q, 
if there exists a position r such that p ■ r = q. Here, the symbol • denotes 
the concatenation of positions and r may be the empty position e. We call the 
positions p and q parallel if neither p < q nor q < p. 

We denote the subterm of a term t at position p G Vos{t) by t\p. The re- 
placement of a subterm at position p in t by a term s is denoted t[s]p. 

Given a term t and a substitution cr, we denote the application of cr to t 
by a(t). We also use notation like t[x := t\-,y := t 2 ]- In this case we have a 
substitution that replaces x by t\ and y hy t 2 - 




236 



Jeroen Ketema 



By TZ = {S, R) we denote a TRS over a signature S and with the set of 
rewrite rules R. The elements of R are denoted I r, where l,r G Ter{S,X). 
We call TZ left-linear, if the left-hand sides of all its rewrite rules are linear. The 
rewrite relation defined by R is denoted Its reflexive and transitive-reflexive 
closures are respectively denoted and 

A TRS TZ is subcommutative, if for every s ^ t\ and s ^ there exists a u 
such that ti u and t2 u. Moreover, TZ is confluent, if for every s —>■* t\ 
and s t2 there exists a u such that ti u and t2 u. A term t is in 
normal form with respect to TZ if no redex occurs in t. The TRS TZ is terminating 
if all reductions are finite. 

We call a term t in a TRS root-stable if we cannot rewrite t to a term which 
is a redex. We call a subterm t\p with p G 'Pos{t) root-stable if for all g < p the 
term t\q is root-stable. 

By 'P = (P, E) we denote a partial order C over a set P.li Q Q P, then Q 
is consistent if there exists a p G P such that for all g G Q we have q Q p. If Q 
has a least upper bound, then we denote it by |J Q. 

Given a partial order P = (P, C), we call a non-empty set D C P directed, 
if for all p,q G D there exists an r G D such that p Q r and q Q r. Moreover, 
we call a non-empty set D C P downward closed, if for all p C g with p G P and 
q G D we have p G D. 

A partial order P = (P, C) is a conditional upper semi-lattice with least 
element (cusl), if P has a least element and if every consistent subset of P has a 
least upper bound. A set / C P is an ideal, if it is downward closed and if every 
{p, <z} C / is consistent and has a least upper bound in /. An ideal is called finite 
if it has finite cardinality, otherwise it is called infinite. 

For every directed set P C P in a cusl P = (P, G) we can define an ideal, 
denoted J, D, called the downward closure of D 

J, P = {p € P I p E g for some q G P} . 

Moreover, we have that P°° = (P°°,C) is a partial order. Here, P°° denotes 
{/ C P I / is an ideal of P} and C denotes subset inclusion. The partial order 
P°° is called the ideal completion of P. 

3 Partial Terms 

Let S be signature and X a set of variables. To represent unspecified subterms 
we extend the signature with a constant T which neither occurs in S nor in X. 
The unspecified subterms are defined as those subterms that are equal to T. 

We call the set of terms over the signature A U {T} the set of partial terms. 
We denote the set by Ter{Sj_,X). We leave out the adjective partial when it is 
obvious from the context. 

Given a TRS TZ = {S,R) we can define the TRS S = (A U {T},P). The 
definition of S is sound, as A C A U {T}. Moreover, S has the same confluence 
and termination properties as TZ, as we can consider T to be a variable which 
we have singled out. 
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With the help of _L we can define a partial order on terms, called the prefix 
order. We can also define a strict partial order, called the strict prefix order. 

Definition 3.1. Let S he a signature and X a set of variables. 

1. The prefix order on Ter{S_\_,X), denoted =4, is the smallest binary relation 
such that 

(a) X ^ X for all x G X, 

(b) _L ^ t for all t G Ter(X±, X), and 

(c) /(si,...,s„) ^ f{ti,...,tn) for all f G and s* ^ U with l<i<n. 

2. The strict prefix order on Ter{E±, X), denoted is the smallest binary 
relation such that for all s,t G Ter(E±, X) 

s ^ t iff s ^ t and s t . 

If s ^ t, then we call s a prefix of t. Moreover, if s ^ t, then we call s a strict 
prefix of t. The term s is a prefix of the term t if either s and t are equal or if 
there exist unspecified subterms in s which are specified in t but not the other 
way around. See Fig. 1 for a graphical representation. 





Fig. 1. The prefix order on Ter(E±, X) 



By induction on the structure of terms it follows that VT = {Ter(S±^ X), =4) 
and SVT = (T er{E±,X), ~<) are respectively a partial order and a strict partial 
order. The pair VT is in fact a cusl. The existence of a least element, the constant 
T, follows by the second clause of the prefix order and the anti-symmetry of 
partial orders. By the same facts and by induction on the structure of terms it 
follows that every consistent set of terms has a least upper bound. 

We have the following relations between the prefix orders and the positions 
of terms. 

Lemma 3.2. Let s,t G Ter{Si_,X). 

1. For all s ^ t 

— Vos{s) C Vosft), and 

— for all p G Vos{s) such that s|p yf T, the root symbol of s|p is equal to 
the root symbol oft\p. 

2. For all s ^ t, there exist p G Vos{s) such that s|p = T and t|p yf T. 

Proof. By induction on the structure of terms. □ 

Using the previous lemma we prove well-foundedness of the strict prefix order. 
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Proposition 3.3. The strict prefix order on Ter(IJ±, X) is well-founded. 

Proof. Let s,t G Ter{X±, X) with s ^ t. From Lemma 3.2 it follows that 

#{p I p G Vos{s), s|p ^ -L} < ff{p I p G Vos{t), t\p ^ _L} , 

where ffS denotes the cardinality of S. Hence, as < is a well-founded order on 
the natural numbers, the result follows. □ 

We can extend the prefix order to substitutions by means of a point-wise 
definition. That is, given substitutions a and r 

cr ^ r iff cr(a;) ^ t{x) for &\\ x G X . 

Using this definition we can also extend the strict prefix order to substitutions 

CT ^ r iff (J ^ r and (j{x) -< t{x) for some x G X . 

Thus, for all variables we must have cr(a;) ^ t{x) and for at least one variable 
we must also have a{x) -< r(x). 

The extensions of the prefix order and the strict prefix order to substitutions 
are again respectively a partial order and a strict partial order. This follows 
easily from their definitions and the fact that the prefix order and the strict 
prefix order on terms are respectively a partial order and a strict partial order. 

The following property holds with respect to the extension of the prefix order 
to substitutions. The property plays an essential role in Sect. 6. 

Lemma 3.4. Let s,t G Ter(X±, X) such that t is linear. If s ^ T{t) for some 
substitution t, then there exists an s' G Ter{S_i_,X) and a substitution a' such 
that s = tj'(s'), s' =4 t, a' ^ t, and s' linear. 

Proof. Suppose s =4 T{t) for some substitution r. We prove the result by induc- 
tion on the number of positions p G Vos{s) such that s|p = T and t\p yf T. 

Base Case. There are no positions p such that s|p = T and t\p yf T. Hence, 
s = T{t) and the result follows by defining s' = t and a' = r. 

Induction Step. Suppose the result holds for some number of positions n > 0. 
Let us prove it holds for n -I- 1 positions. 

As n -I- 1 >0, there exists a position p G Vos{s) such that s|p = T and 
r(t)|p yf T. With respect to p there are two possibilities 

1. p is a non- variable position of t, or 

2. there exists a variable position q of t such that p = q - r. 

In the first case define 

t' = t[T]p 

t'{x) = t{x) for all x G X. 

In the second case define 

t' = t 

= / 'r(a;)[-L]r if a; = t\q 
^ \ r(x) otherwise. 
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In both cases t' ^ t, t' ^ t and t' linear. Moreover, as s|p = _L and r{t)\p ^ _L, it 
follows that s =4 -< T{t) and that p is the only position such that r'(t')|p = 

_L and T{t)\p yf _L. Consequently, the number of positions p with s|p = _L and 
7 ^ -L is n, and by the induction hypothesis it follows that there exist an 
s' and a' such that s = a-'(s'), s' =4 t' , a' =4 t' , and s' linear. The actual result 
follows by transitivity of the prefix orders on terms and substitutions. □ 

We conclude this section with two remarks regarding the previous lemma. 
Remark 3. 5. If the position p as used in the induction step is a variable position 
of the term t, then there is in fact more than one way to construct t' and t' . 
Consider, for example, s = /(_L,a), t = f{x,y), and t = [x := a;y := a]. 
Following the proof of the lemma we have 

/(x, y) [a; := _L; y := a] = /(_L, a) ^ /(a, a) = f{x, y)[x := a; y := a] . 

However, we also have 

f{-L,y)[x:=a;y:=a] = f{±,a)4f{a,a) = f{x, y)[x := a; y := a] . 

That is, in the first case t' = f{x, y) and r' = [x := T; y := a] and in the second 
case t' = /(T, y) and t' = [x := a; y := a]. 

Remark 3.6. If t is not assumed to be linear, it is in general not possible to 
prove the lemma. Consider, for example, s = /(y(T), y(a)), t = f{x,x), and 
r = [x := g (a)]. Although we have 

f{ 9 {-L),g{a)) =4 f{g{a),g{a)) = f{x,x)[x := g{a )] , 

there does not exist a substitution a' such that a'{f{x,x)) = f{g{l.),g{a)). The 
first argument of s is not equal to its second argument. 



4 Trees 

We define the set of trees by means of ideal completion. 

Definition 4.1. Let S he a signature and X a set of variables. The set of trees, 
denoted T°°(Aj_, A), is defined by 

T°°(X±,X) = {/ C Ter(X±,X) \ I is an ideal ofVT} . 

In this definition the finite and infinite ideals represent respectively the finite 
trees and infinite trees. We do not explain ideal completion any further. This 
has been done elsewhere [14]. 

The following three concepts are related to trees. 

Definition 4.2. Let S,T G T°°{Sj_,X). Define 

Prefix Order S iff for all s G S there exist t gT such that s ^ t, 
Positions Vos{T) = y^iVosff) | t G T}, and 
Subtree Tjp = {t\p | t G T, p G Vos{f)} if p G Vos(T). 
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Two remarks are in order with respect to this definition. First, as trees are 
ideals, the prefix order is in fact subset inclusion. Hence, the least upper bound 
of a consistent set of trees is its union. Second, as follows immediately from its 
definition, T\p is an ideal, and it is finite when T is finite. 

We can clarify the chosen terminology with the help an isomorphism l from 
Ter(T'_L,X) to the finite ideals of Given a term t, the isomorphism 

is defined by 

iW = i{i} = {s I s ^ i} • 

The set r(t) is finite. This follows from the definition of the prefix order and from 
the fact that t has a finite number of symbols. The set r(t) is also an ideal. This 
follows by the definition of downward closure. 

The inverse of i assigns to each finite ideal / its least upper bound. That is, 

r\i) = []i. 

The existence of the least upper bound of / follows by the definition of finite 
ideals. By this fact and the facts about i(t) it follows easily that l actually is an 
isomorphism. Hence, each term corresponds to a finite ideal and vice versa. As 
we can view every term as a finite tree, we also call a finite ideal a finite tree. 

The following observations relate the concepts from Definition 4.2 with the 
prefix order, the set of positions, and the replacement of a subterm, as defined 
in the preliminaries. We assume that s,t G Ter{S±^X) and that S and T are 
finite ideals of A). 

s ^ t iff i(s) ^ i{t) S 4T m t-i(S') ^ 6-1(T) 

Vos{t) = Vos{L{t)) Vos{T) = Vos{r^{T)) 
i{t\p) = rHT\p) = r\T)\p 

5 Bohm-Like Trees 

A Bohm-like tree of a term t partially represents the root-stable part of t as 
created in each maximal fair reduction of t. To obtain a Bohm-like tree of t we 
construct partial representations of the root-stable parts of the final terms of all 
finite reductions. This is done with a direct approximant function. The definition 
of such a function depends on the particular Bohm-like tree. However, all direct 
approximant functions must satisfy the following definition. It summarises the 
properties shared between the direct approximants functions defined in earlier 
papers [2,4-6,11]. 

Definition 5.1. Let TZ = {X,R) be a TRS. A direct approximant function ofTZ 
is a function u : T er(Aj_, A) ^ T er(Aj_, A), such that for all s,t € Ter{S±, A) 
and substitutions a 

1. uj{t) =4 t, 

2. if t\p = a{l), then toft) =4 f [-L]p for all p € Vosft) and I ^ r G R, and 

3. if s ^ t, then oj(s) =4 oj(t). 
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In the remainder of this section we assume 7^ = (if, i?) is a confluent left- 
linear TRS and w is a direct approximant function of TZ. 

Given a term t, we call uj{t) the direct approximant of t. Note that by the 
first and second clause of Definition 5.1 a direct approximant is in normal form 
with respect to TZ. 

The first clause of Definition 5.1 expresses that a direct approximant of a 
term is a prefix of that term. Note that the root-stable part of a term, or any 
of its prefixes, is such a prefix. The first clause is a consequence of the second 
clause for terms not in normal form. 

The second and third clause of Definition 5.1 are motivated by the following 
lemma. It expresses that a direct approximant only provides information on the 
root-stable part of a term. 

Lemma 5.2. Let t G Ter(IT±, X) and p G 'Pos{t). If t\p is not a root-stable 
subterm oft, then there exists a q < p such that q G 'Pos{ui{t)) and w(t)|g = T. 

Proof. This follows immediately from the definition of root-stable subterms and 
the second and third clause of Definition 5.1. □ 

We are now almost ready to define Bohm-like trees. However, we first need 
to define the notion of auxiliary set. An auxiliary set of a term t consists of the 
direct approximants of all the reducts of t. 

Definition 5.3. If t G Ter{Sj_,X), then its auxiliary set, denoted A{t), is de- 
fined by 

A{t) = {w(s) I t s} . 

Auxiliary sets have the following property. 

Lemma 5.4. Let t G Ter(X±,X). The set A{t) is directed. 

Proof. The set A{t) is non-empty, as follows from the fact that oj{t) G A{t). 
Moreover, for all si,S 2 G A{t) there exist an r G A{t) such that si ^ r and 
S 2 ^ r, as follows from the third clause of Definition 5.1 and the assumption 
that all considered TRSs are confluent. □ 

The set A{t) is not necessarily a tree. Consider, for example, the TRS TZ = 
({c}, 0) with c a constant. Since there are no reduction rules, the identity function 
on Ter({c}j_, A) is a direct approximant function. Hence, we have A{c) = {c}. 
This is not a tree, as T ^ {c}. However, as A{t) is directed and as trees are 
ideals we can obtain a tree by closing A{t) downward. This leads to the following 
definition of Bohm-like trees. 

Definition 5.5. Ift G Ter{Si_,X), then its Bohm-like tree, denoted BLT{t), is 
defined by 

BLT{t) = I A{t). 

We have for each t that iA{t) exists and is unique. Hence, BLT is a function 
from Ter{X±,X) to A). By Lemma 5.2 and the fact that root-stability 
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is preserved under reduction, Bohm-like trees only provide information on root- 
stable parts. 

We now give two examples of direct approximant functions and Bohm-like 
trees. 

Example 5.6 (Trivial Trees). Given a term t, its trivial direct approximant is 
defined by WT(t) = -L. 

The three clauses of Definition 5.1 hold trivially. As we have for all t s 
that wt(s) = -L, it follows that BLT(t) = A{t) = {-L}. Note that ojt is minimal 
in the sense that it does not provide any information on root-stable subterms. 

Example 5.7 (Berarducci-Like Trees). Given a term t, its Berarducci-like direct 
approximant o>BeL replaces precisely all non-root-stable subterms of t by _L. 

Again, the three clauses of Definition 5.1 hold trivially. Note that WBeL is 
maximal in the sense that it preserves all root-stable subterms. Unfortunately, 
as root-stability is undecidable, wseL is in general not computable. 

Berarducci-like trees are modelled after the Berarducci trees from the A- 
calculus [3]. The direct approximant function associated with the Berarducci 
trees also replaces precisely all non- root-stable subterms by T. 

To make the Berarducci-like trees more concrete let us consider combinatory 
logic (GL) with the combinators S, K, and / and the usual reduction rules. 
The following trees are Berarducci-like trees for GL. 

BLT(A:T) = {T,TT,iLT} 

BLT(UiL) = {T, TT, KE, T(TT), . . .} 

BLT(S'//(S'//)) = {T} 

The subterm Y in the second tree denotes a term that behaves as a fixed-point 
combinator. In the case of the last tree note that for every SII{SII) t we 
have t SII{SII). Hence, no reduct of SII{SII) is root-stable. 

We end this section with a proof that Bohm-like trees are preserved under 
rewriting and by discussing some related work. 

Proposition 5.8. Let s,t & Ter{E±,X). If s t, then BLT{s) = BLT{f). 

Proof. Suppose s t. We prove BLT(s) ^ BLT(t) and BLT(t) ^ BLT(s). The 
result follows from the observation that the prefix order on trees is in fact subset 
inclusion. 

By the definition of Bohm-like trees there exists for every t” G BLT(s) a term 
t' such that s t' and t" =4 w(t'). As we assume that every TRS is confluent, 
there exists an r such that t r and t' r. Thus, w(r) G Aft) C BLT(t). 
Moreover, by the third clause of Definition, 5.1 uj{t') =4 uj{r). Hence, t” =4 uj{r) 
and BLT(s) ^ BLT(t). 

As every reduct of t is a reduct of s, we have A{t) C A(s). By the definition 
of downward closure lA{t) C J,A(s). Thus, BLT(t) ^ BLT(s). □ 
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In the work by Boudol [10] , Blom [8], and Ariola and Blom [9] a more abstract 
approach is taken to defining Bohm-like trees. They use more abstract definitions 
of direct approximant functions. 

Boudol [10] only requires of the range of the direct approximant function that 
its is an algebra over Ter{S_\_,X). The range does not need to be Ter{S_\_,X). 
In correspondence with this, Boudol drops the first clause of Definition 5.1. 

Blom [8] and Ariola and Blom [9] require the domain of the direct approx- 
imant function only to be an ARS A = (A, —>■) with a partial order on A. The 
ARS A does not need to be confluent. The range of the direct approximant 
function may be an arbitrary (complete) partial order. In correspondence with 
this, they drop the first and second clause of Definition 5.1. They also add a new 
clause to compensate for the fact that A does not need to be confiuent. 

6 Direct Approximant TRSs 

In this section we define a class of confiuent and terminating TRSs, the direct 
approximant TRSs (wTRSs). We prove that the function that assigns to each 
term in such a TRS its unique normal form is a direct approximant function. In 
the next section we prove that the Bohm-like trees based on wTRSs are monotone 
and continuous. 

Not every direct approximant function can be defined by means of a confiuent 
and terminating TRS. An example is the function wseL from the previous section. 
This function cannot be defined by means of a TRS, as unique normal forms of 
confiuent and terminating TRSs are always computable, while root-stability and, 
hence, wseL is not. 

As in the case of direct approximant functions, the definition of wTRSs is 
relative to a given TRS. The definition summarises the properties shared between 
the TRSs used to define direct approximant functions in earlier papers [6, 10, 11, 
15]. 

Definition 6.1. Let TZ = (A, R) be a confluent left-linear TRS. A direct ap- 
proximant TRS (wTRS) of TZ is a left-linear TRS V = (S±,D), whose rewrite 
relation, denoted satisfies 

1. e = T for all d e € D, 

2. J- is a normal form with respect to , 

3. t J- for all t ^ d with d -L G D (see Fig. 2), and 

4 . I T for all I ^ r G R. 

In the remainder of this section we assume TZ = (A, R) is a confiuent left- 
linear TRS and T> = (Aj_,D) is a wTRS of TZ. We proceed as follows. First, we 
give an example of a wTRS. Then, we prove wTRSs are confiuent and terminating 
using the first, second, and third clause of Definition 6.1. Finally, we prove that 
the unique normal forms define direct approximants using the third and fourth 
clause. 

Example 6.2 (Huet-Levy toTRSs). The rewrite rules of the Huet-Levy wTRS are 
all rules of the form t A such that Ef^t^l and I ^ r G R. 




244 



Jeroen Ketema 



t ^ d 
± ± 



s =4 t 



~^U1 

s' =4 



t' 



-^t 



s' =4 t' 



Fig. 2. Definition 6. 1.(3) Fig. 3. Lemma 6.7 



Fig. 4. Lemma 6.8 



The four clauses of Definition 6.1 follow trivially from the definition of Huet- 
Levy wTRSs. The direct approximant function defined by a Huet-Levy wTRS 
originates from the work by Huet and Levy [16]. The first formulation as a TRS 
is by Klop and Middeldorp [15]. The definition of Klop and Middeldorp differs 
slightly from ours, but equality of the transitive-reflexive closures follows easily 
with the help of Lemma 3.4. 

The Huet-Levy TRS for CL has no less than 28 rewrite rules. However, 
using the fact that the third clause of Definition 6.1 is formulated in terms of 
the transitive-reflexive closure of we can define a wTRS with the same 
transitive-reflexive closure but with only four rewrite rules. 

Sxyz -L Kxy -L 

Ix T Tx -L 

Hence, the formulation of the third clause of Definition 6.1 enables us to define 
more “economic” wTRSs. 

To prove confluence of T> we first show that confluence holds for wTRSs for 
which the third clause of Definition 6.1 can be strengthened to 

t T for all t ^ d with d -L G D. 

That is, t must rewrite to T in at most one step and not just in finitely many 
steps. We call wTRSs with this strengthened third clause single-step ujTRSs . 

Lemma 6.3. If £ = is a single-step loTRS, then £ is confluent. 

Proof. The wTRS £ = (S±,E) is subcommutative by the first clause of Defini- 
tion 6.1 and the single-step assumption. Confluence is implied by subcommuta- 
tivity [13, Lemma 2.7.4]. □ 

Using confluence of single-step wTRSs we can prove confluence of V. 

Proposition 6.4. The ojTRS T> is confluent. 

Proof. Define a TRS £ = {E±,E), such that t T S if for all t G Ter{E±, ff) 
with T yf t ^ d and d E G D. The TRS £ is a single-step wTRS, as follows 
easily from its definition. Moreover, by the definition of £, the transitive-reflexive 
closures of T> and £ are equal. Hence, T> is confluent by Lemma 6.3. □ 

To prove termination of T> we need the following lemma with respect to the 
rewrite relation of T>. 
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Lemma 6.5. Let s,t G Ter{S±,X). If s t, then t ^ s. 

Proof. By the first clause of Definition 6.1 a reduction step s t is a re- 
placement of a subterm s' at a position p in s by _L. As _L ^ s', we have 
t = s[_L]p ^ s[s']p = s. □ 

We can now prove termination. 

Proposition 6.6. The ujTRS T> is terminating. 

Proof. By Lemma 6.5 and Proposition 3.3. □ 

By Propositions 6.4 and 6.6 each term t in'D has a unique normal form. We 
denote this unique normal form by to(t). We now prove that uj defines a direct 
approximant function. In order to do this, we first prove three lemmas. 

Lemma 6.7. Let s,t,t' G Ter{S±, X). If s ^ t and t t' , then there exists 

an s' G Ter(E±, X) such that s' =4 t' and s -^* s' (see Fig. 3). 

Proof. We give a proof for the case t t' . The result follows by induction on 

the length of t — >* t' . 

Suppose the redex contracted in t t' occurs at position p. There are two 
cases to consider depending on the occurrence of p in s. 

The position p does not occur in s. By the definition of the prefix order 
there exists a, q < p such that s|g = T. Define s' = s. As t t' replaces the 

subterm at position p by T we have by sj^ = T and q<p that s =4 t' . Moreover, 
^ / 

= S ■ 

The position p occurs in s. In this case, s|p ^ t\p. As t\p is a redex, we have by 
Lemma 3.4 and the third clause of Definition 6.1 that s|p T = t'\p. Define 
s' = s[T]p. As t' = t[T]p, we have s' =4 t'. Moreover, as s|p T, we have 
s s'. □ 

Lemma 6.8. Let s,t,t' G Ter(Aj_, A). If s t and t t' , then there exists 
an s' G Ter(E±, X) such that s s' and s' =4 t' (see Fig. 4)- 

Proof. We give a proof for the case s ^ t. The result follows by induction on 
the length of s t. 

Suppose the redex contracted in s ^ t occurs at position p. As s[T]p ^ t, 
there exists by Lemma 6.7 an s' such that s' =4 t' and s[T]p s' . Moreover, 
s s', because by the fourth clause of Definition 6.1 s s[T]p. □ 

Lemma 6.9. Let s,t G Ter(X±,X). The following properties hold 

1. uj{t) =4 t, 

2. uj(t) = uj(t[uj{t\p)\p) for all p G Vos(t), 

3. (jj{ui(f)) = ijj(f), 

4 . uj(s) =4 oj(t) if s ^t, and 

5. CO (s) ^ w(t) if s^t. 
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Proof. 1. As uj{t) is the unique normal form of t, we have t w(f). The result 
follows by repeated application of Lemma 6.5. 

2. For every t\p s we have t = t[t\p]p t[s]p. Hence, as t\p w(t|p), the 
result follows by confluence of wTRSs. 

3. By the second clause of the current lemma with p = e. 

4. As t there exists by Lemma 6.7 an s' such that s' =4 ojft). Moreover, 

by confluence of wTRSs w(s') = w(s) and by the first clause of the current 
lemma uj(s') =4 s'. Hence, by transitivity of the prefix order uj(s) =4 oj(t). 

5. Analogous to the fourth clause of the current lemma using Lemma 6.8 instead 

of Lemma 6.7. □ 

We can now prove the following theorem. 

Theorem 6.10. The function oj : Ter(I7j_,A) ^ Ter(A_i_,A) which assigns 
to each term its unique normal form with respect to T> is a direct approximant 
function. 

Proof. The first clause of Definition 5.1 follows from Lemma 6.9. (1). The second 
clause follows from the fourth clause of Definition 6.1 and the fact that wTRSs 
are confluent. The third clause follows from Lemma 6.9. (5). □ 

We now know that each wTRS defines direct approximant function. Hence, 
it also defines a Bohm-like tree. 

Example 6.11 (Huet-Levy Trees). The Huet-Levy wTRS of Definition 6.2 defines 
the Huet-Levy tree. 

The Huet-Levy tree is the Bohm-like tree already defined by Boudol [10] and 
Ariola [11]. 

Huet-Levy trees provide more information than the trivial trees, but less than 
the Berarducci-like trees. For example, given the TRS with the single rewrite rule 
/(a) ^ b we have the following trees. 

BLTt(/(T)) = {T} BLTT(/(a)) = {T} 

BLThl(/(T)) = {T} BLTHL(/(a)) = {T, b} 

BLTBeL(/(T)) = {T, /(T)} BLTBeL(/(a)) = {T, b} 

7 Monotonicity and Continuity 

In this section we prove that a Bohm-like tree whose the direct approximant 
function can be defined by means of a wTRS is monotone and continuous. As in 
the previous section, we assume TZ = {E,R) is an confluent left-linear TRS and 
V = is a wTRS of TZ. 

Proposition 7.1. The Bohm-like tree defined by V is a monotone function. 
That is, for all s,t G Ter(S±,X), if s ^t, then BLT{s) =4 BLTff). 
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Proof. Let s,t G Ter{S±,X) such that s ^ t. Suppose s" G BLT(s). By the 
definition of BLT(s) there exists an s' such that s" =4 u;{s') and s s'. As all 
assumed TRSs are left-linear, there exists a t' such that t t' and s' =4 t' . By 
Lemma 6. 9. (4) we have w(s') ^ w(t'). Hence, as oj{t') G BLT(t), we also have 
BLT(s) ^ BLT(t). □ 

Proposition 7.2. The Bdhm-like tree defined by V is a continuous function. 
That is, iftG Ter{Sj_, X), then BLTft) = \_\{BLT{s) | s ^ t}. 

Proof. Let t G Ter{S±, X). Ast^t, we have BLT(t) G {BLT(s) | s ^ t}. Thus, 
BLT(t) ^ U{^LT(s) I s ^ t}. Moreover, by Proposition 7.1 we have for all s ^ t 
that BLT(s) ^ BLT(t) and, thus, |J{BLT(s) | s ^ t} ^ BLT(t). Combining both 
facts, we get the result. □ 

From the above two propositions we can conclude that the Huet-Levy trees of 
the previous section are monotone and continuous. Note that Ariola [11] already 
proves this. 

There exist Bohm-like trees that are not monotone and continuous. Consider, 
for example, the TRS with the single rewrite rule /(a) ^ b and its Berarducci- 
like tree. Given the terms /(T) and /(a) we have that /(T) ^ /(a), but 

BLT(/(T)) = {T, f{±)} 4 {T, b} = BLT(/(a)) 

and 

BLT(/(a)) = {T, 6} ^ {T, b, f{±)} = lJ{BLT(s) | s ^ /(a)} . 

In fact, the last set is not even a tree. 

8 Further Directions 

There are at least four interesting directions for further research. First, does pre- 
congruence hold for the presented Bohm-like trees, as it does for the Bohm-like 
trees of the A-calculus [1-3] and Huet-Levy trees [11]? That is, suppose Cp] is 
a context and s and t are terms, does it hold that 

BLT(C[s]) ^ BLT(C[t]) if BLT(s) ^ BLT(t) 

Second, can we extend Bohm-like trees to higher-order rewriting systems, such 
that we also cover the Bohm-like trees of the A-calculus? Third, similar to 
Berarducci-like trees and the Berarducci trees of the A-calculus, do Bohm trees [1] 
and Levy-Longo trees [2] have a counterpart for TRSs? Fourth, how does the 
current approach relate to the infinitary rewriting approach [12]? 
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Abstract. In this paper we present some new refinements of the depen- 
dency pair method for automatically proving the termination of term 
rewrite systems. These refinements are very easy to implement, increase 
the power of the method, result in simpler termination proofs, and make 
the method more efficient. 



1 Introduction 

Since the introduction of the dependency pair method (Arts and Giesl [I]) and 
the monotonic semantic path order (Borralleras, Ferreira, and Rubio [5]), two 
powerful methods that facilitate termination proofs that can be obtained auto- 
matically, there is a renewed interest in the study of termination for term rewrite 
systems. Three important issues which receive a lot of attention in current re- 
search on termination are to make these methods faster, to improve the methods 
such that more and more (challenging) rewrite systems can be handled, and to 
extend the methods beyond the realm of ordinary first-order term rewriting. 
Especially in connection with the dependency pair method many improvements, 
extensions, and refinements have been published. The method forms an impor- 
tant ingredient in several software tools for proving terminating. To mention a 
few (in order of appearance): CiME [6], TjT [15], AProVE [12], and TORPA [24]. 

In this paper we go back to the foundations of the dependency pair method. 
Starting from scratch, we give a systematic account of the method. Along the 
way we derive two new refinements which are very easy to implement, increase 
the termination proving power^, give rise to simpler termination proofs, and 
make the method much faster. 

We use the following term rewrite system (TRS for short) from Dershowitz [7] 
to illustrate the developments in the remainder of the paper: 

1 : -i-ix — >■ X 

2: -<(x V y) ^ -<x A -<y 

3: -<{x A y) ^ -<x V -<y 

4: X A {yV z) ^ {x Ay) \/ {x A z) 

5 : {y V z) A x ^ {x A y) V {x A z) 

^ Note however the discussion at the end of Section 5. 
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Termination of this TRS is easily shown by the multiset path order. This, how- 
ever, does not mean that automatic termination tools easily find a termination 
proof. For instance, both CiME and the fully automatic “Meta Combination” 
algorithm in AProVE 1.0 fail to prove termination. 

We assume familiarity with the basics of term rewriting ([3,20]). We just 
recall some basic notation and terminology. The set of terms T{T , V) constructed 
from a signature T and a disjoint set V of variables is abbreviated to T when 
no confusion can arise. The set of variables appearing in a term t is denoted 
by Var(t). The root symbol of a term t is denoted by root(t). Defined function 
symbols are root symbols of left-hand sides of rewrite rules. We use — > to denote 
root rewrite steps and — > to denote rewrite steps in which the selected redex 
occurs below the root. A substitution is a mapping a from variables to terms such 
that its domain Vom{a) = {x \ x ^ is finite. We write ta to denote the 

result of applying the substitution cr to the term t. A relation R on terms is closed 
under substitutions if (sct, ta) £ R whenever (s, t) G R, for all substitutions a. 
We say that R is closed under contexts if {u[s]p,u[t]p) € R whenever (s,t) G R, 
for all terms u and positions p in u. The superterm relation is denoted by > (i.e., 
s > t if t is a subterm of s) and [> denotes its strict part. 

2 Dependency Pairs 

In this section and in Section 4 we recall the basics of the dependency pair 
method of Arts and Giesl [1]. We provide proofs of all results. 

Let us start with some easy observations. If a TRS TZ is not terminating 
then there must be a minimal non-terminating term, minimal in the sense that 
all its proper subterms are terminating. Let us denote the set of all minimal 
non-terminating terms by Too- 

Lemma 1. For every term t G Too there exists a rewrite rule I ^ r, a substitu- 
tion a, and a non-variable subterm u of r such that t — >■* Icr — > rn > ua and 
ua £ Too- 

Proof. Let A be an infinite rewrite sequence starting at t. Since all proper sub- 
terms of t are terminating, A must contain a root rewrite step. By considering 
the first root rewrite step in A it follows that there exist a rewrite rule I -£ r and 
a substitution a such that A starts with t ^4* la -4- ra. Write I = /(/i, . . . , l„). 
Since the rewrite steps in t -£* la take place below the root, t = f{ti, - . - ,tn) 
and ti -£* ha for all 1 ^ z ^ n. By assumption the arguments t\, . . . ,tn of t are 
terminating. Hence so are the terms l\a, . . . , l„a. It follows that a{x) is termi- 
nating for every x £ Var(r) C Var(Z). As ra is non-terminating it has a subterm 
t' £ Too- Because non-terminating terms cannot occur in the substitution part, 
there must be a non-variable subterm u oi r such that t' = ua. □ 

Observe that the term la in Lemma 1 belongs to Too as well. Further note that 
ua cannot be a proper subterm of la (since all arguments of la are terminating). 

Corollary 2. Every term in Too has a defined root symbol. □ 
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If we were to define a new TRS S consisting of all rewrite rules I — >■ u for 
which there exist a rewrite rule I ^ r G TZ and a subterm m of r with defined 
function symbol, then the sequence in the conclusion of Lemma 1 is of the form 
' '^S- idea is now to get rid of the position constraints by marking 
the root symbols of the terms in the rewrite rules of S. 

Definition 3. Let TZ he a TRS over a signature T . Let T'^ denote the union 
of if and {/** I / zs a defined symbol ofTZ} where /** is a fresh function symbol 
with the same arity as f. We call these new symbols dependency pair symbols. 
Given a term t = /(ti, . . • ,t„) G T{iF,V) with f a defined symbol, we write t'^ 
for the term f^{ti, , tn). Lfl^rGlZ and u is a subterm ofr with defined root 
symbol such that u is not a proper suhterm of I then the rewrite rule — >■ is 

called a dependency pair of TZ. The set of all dependency pairs of TZ is denoted 
by DP(7^). 

The idea of excluding dependency pairs -G where m is a proper subterm 
of I is due to Dershowitz [8]. Although dependency pair symbols are defined 
symbols of DP (7?.), they are not defined symbols of TZ. In the following, defined 
symbols always refer to the original TRS TZ. 

Example 4- The example in the introduction admits the following 9 dependency 
pairs: 



6 


-<^(x V y) ^ -<x A** 








7 


-'^(x V y) ^ -i^x 




11: 


X a'^ {yV z) ^ X a'^ y 


8 


-^^{x V z/) — >■ -i^z/ 




12: 


X a'^ {y V z) ^ X A^ z 


9 


Ay) ^ 




13: 


{y V z) a'^ X ^ X A^ y 


10 


-^^{x Ay) ^ -i^y 




14: 


{y \/ z) a'^ X ^ X A^ z 


Lemma 5. 


For every term s G Too 


there exist terms t,u G Too such that s® 



—S^DPCR) uK 

Proof. Immediate from Lemma 1, Corollary 2, and the preceding definition. □ 

Definition 6. For any subset T Q T consisting of terms with a defined root 
symbol, we denote the set {fi \ t G T} by TK 

An immediate consequence of the previous lemma is that for every non- 
terminating TRS TZ there exists an infinite rewrite sequence of the form 



ti t2 -^DP{TZ) ts ^4 — >-DP(7?,) ' ' ’ 



with ti G 7^ for all z ^ 1. Hence, to prove termination of a TRS TZ it is 
sufficient to show that TZU DP (77) does not admit such infinite sequences. Every 
such sequence contains a tail in which all applied dependency pairs are used 
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infinitely many times. For finite TRSs, the set of those dependency pairs forms 
a cycle in the dependency graph. From now on, we assume that all TRSs are 
finite. 

As a side remark, note that all terms in 7^ are terminating with respect to 
TZ but admit an infinite rewrite sequence with respect to 77U DP (77). 

Definition 7. The nodes of the dependency graph DG(77) are the dependency 
pairs of 77 and there is an arrow from s ^ t to u ^ v if and only if there exist 
substitutions a and t such that ta — ut. A cycle is a nonempty subset C of 
dependency pairs o/DP(77) if for every two (not necessarily distinct) pairs s ^ t 
and u ^ V in C there exists a nonempty path in C from s ^ t to u ^ v. 

Definition 8. Let C C DP(77). An infinite rewrite sequence inTZUC of the form 



ti t2 ~^C ts ~^TZ ~^c ■ ■ ■ 



with ti G 7(1, is called C-minimal if all rules in C are applied infinitely often. 

Hence proving termination boils down to proving the absence of C-minimal 
rewrite sequences, for any cycle C in the dependency graph DG(77). 

Example 9. The example in the introduction has the following dependency graph: 




It contains 30 cycles: all nonempty subsets of both {7, 8, 9, 10} and {11, 12, 13, 14}. 

Although the dependency graph is not computable in general, sound ap- 
proximations exist that can be computed efficiently (see [1, 17]). Soundness here 
means that every cycle in the real dependency graph is a cycle in the approxi- 
mated graph. For the example TRS all known approximations compute the real 
dependency graph. 



3 Subterm Criterion 

We now present a new criterion which permits us to ignore certain cycles of the 
dependency graph. 
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Definition 10. Let TZ be a TRS and C C DP (7^) such that every dependency 
pair symbol in C has positive arity. A simple projection for C is a mapping tt 
that assigns to every n-ary dependency pair symbol /** in C an argument position 
i £ {1, . . . , n}. The mapping that assigns to every term f'^{ti, . . . , £ T® with 

/** a dependency pair symbol in C its argument at position 7t(/**) is also denoted 
by 7T. 

Theorem 11. Let TZ be a TRS and let C be a cycle in DG(7?.). Lf there exists a 
simple projection tt for C such that 7r(C) C > and 7r(C) fl [> 0 then there are 

no C -minimal rewrite sequences. 

Before presenting the proof, let us make some clarifying remarks about the 
notation. If i? is a set of rewrite rules and O is a relation on terms then the 
expression tt{R) denotes the set {7 t(/) — >• 7r(r) \ I ^ r £ R}, the inclusion RC O 
abbreviates “(l,r) G O for all ? — >■ r G O”, and the inequality R (1 O ^ 0 
abbreviates “(l,r) £ O for at least one ^ r G O”. So the conditions state 
that after applying the simple projection tt, every rule in C is turned into an 
identity or a rule whose right-hand side is a proper subterm of the left-hand 
side. Moreover, the latter case applies at least once. 

Proof. Suppose to the contrary that there exists a C-minimal rewrite sequence: 

ti U\ -^c ^2 ^2 ~^c ts ’ ’ ’ ( 1 ) 

All terms in this sequence have a dependency pair symbol in C as root symbol. 
We apply the simple projection tt to (1). Let i ^ 1. 

— First consider the dependency pair step Ui -^c There exist a depen- 

dency pair I ^ r £ C and a substitution cr such that Ui = la and ti+i = ra. 
We have Tr{ui) = n{l)a and Tr{ti+i) = Tr{r)a. We have tt{1) > 7r(r) by as- 
sumption. So 7 t(I) = 7r(r) or tt( 1) t> 7r(r). In the former case we trivially have 
7r{ui) = 7r(ti+i). In the latter case the closure under substitutions of [> yields 
7r{ui) [> 7r(ti+i). Because of the assumption 7 t(C) fl [> 0, the latter holds 

for infinitely many i. 

— Next consider the rewrite sequence ti Ui. All steps in this sequence take 
place below the root and thus we obtain the (possibly shorter) sequence 
Tr{ti) Tr{ui). 

So by applying the simple projection tt , sequence (1) is transformed into an 
infinite U t> sequence containing infinitely many t> steps, starting from the 
term 7r(ti). Since the relation t> is well-founded, the infinite sequence must also 
contain infinitely many steps. By making repeated use of the well-known 
relational inclusion t> ■ — >- 7 ^ C —>- 7 ^ •[>([> commutes over — >- 7 ^ in the terminology 
of [4]), we obtain an infinite — >- 7 ^ sequence starting from 7 r(ti). In other words, the 
term 7 r(fi) is non-terminating with respect to TZ. Let ti = /**(si, . . . , s„). Because 
h £ U, /(si,...,s„) is a minimal non-terminating term. Consequently, its 
argument 7 r(ti) = «,„•(/*) is terminating with respect to TZ, providing the desired 
contradiction. □ 
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The remarkable thing about the above theorem is that it permits us to discard 
cycles of the dependency graph without considering any rewrite rules. This is 
extremely useful. Moreover, the criterion is very simple to check. 

Example 12. Consider the cycle C = {7,8,9,10}. The only dependency pair 
symbol in C is —'K Since is a unary function symbol, there is just one simple 
projection for C: 7t(-i**) = 1. By applying tt to C, we obtain 

7: xV y ^ X 

8 : xV y ^ y 

9: X Ay ^ X 

10 : X Ay ^ y 

We clearly have 7 t(C) C [>. Hence we can ignore C (and all its subcycles). The 
only cycles that are not handled by the criterion of Theorem 11 are the ones 
that involve 13 or 14; applying the simple projection 7 t(A**) = 1 produces 

13 : yVz^x 

14: yVz^x 

whereas 7 t(A**) = 2 gives 

13: X ^ y 

14: X ^ z 

None of these rules are compatible with > . 

In implementations one shouldn’t compute all cycles of the dependency graph 
(since there can be exponentially many in the number of dependency pairs), but 
use the technique of Hirokawa and Middeldorp [14] to recursively solve strongly 
connected components (which gives rise to a linear algorithm): if all pairs in 
a strongly connected component (SCC for short) are compatible with > after 
applying a simple projection, the ones that are compatible with [> are removed 
and new SCCs among the remaining pairs are computed. This is illustrated in 
the final two examples in this section. The last example furthermore shows that 
the subterm criterion is capable of proving the termination of TRSs that are 
considered to be challenging in the termination literature (cf. the remarks in 
[10, Example 9]). 

Example 1 3. Consider the following TRS from [7] : 

1: sort([])-^[] 

2: sort(x : y) — !■ insert(x, sort(j/)) 

3: insert(a;, [])—>■ x :[ ] 

4: insert(x,w : w) — > choose(x,x : w,x,v) 

5 : choose(x, v : w,y,0) ^ x : {v : w) 

6 : choose(x, v : w,0, s( 2 :)) — >■ v : insert(x, w) 

7 : choose(x, v : w,s{y),s{z)) choose(x, v : w,y, z) 
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There are 5 dependency pairs: 



8: sort**(a; : y) — > insert**(x, sort(j/)) 

9: sort** (x : y) sort® (y) 

10 : insert®(a;, v : w) ^ choose®(x, v : w,x, v) 

11 : choose®(x, v : w,0, s(z)) — s- insert®(x, w) 

12: choose®(a;, t; : w,s(p),s(z)) — s- choose®(x,w : w,y,z) 

The dependency graph 




^ 9 ^ 8 ^ 10 ^ ^ 11 ^ 12 ^ 

contains 2 SCCs: {9} and {10,11,12}. The first one is handled by the simple 
projection 7r(sort®) = 1: 



9: X : y ^ X 

For the other SCC we take 7r(insert®) = 7r(choose®) = 2: 



10 : 


V 


w 




V : w 


11 : 


V 


w 


-)> 


w 


12 : 


V 


w 




V : w 



After removing the strictly decreasing pair 11, we are left with 10 and 12. The 
restriction of the dependency graph to these two pairs contains one SCC: {12}. 
This pair is handled by the simple projection 7r(choose®) = 3: 

12: s{y) ^ y 

Hence the TRS is terminating. 

Example 14- Consider the following TRS from [19]: 

1: intlist([ ]) ^ [ ] 

2: intlist(x : y) — t s(a;) : intlist(y) 

3: int(0,0) ^ 0 : [ ] 

4: int(0,s(j/)) 0 : int(s(0),s(i/)) 

5: int(s(x),0) — t [ ] 

6: int(s(a;), s(j/)) intlist(int(a;, y)) 

There are 4 dependency pairs: 

7 : intlist®(x : y) — !> intlist®(y) 

8: int®(0,s(y)) int®(s(0),s(y)) 

9: int®(s(a;),s(y)) — !■ intlist®(int(x, y)) 

10: int®(s(a:),s(y)) — > int®(a;,y) 
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The dependency graph 




8 ^ 5- 10 ^ 9 > 7 

u u 



contains 2 SCCs: {7} and {8, 10}. The first one is handled by the simple projec- 
tion 7r(intlist**) = 1: 



7: x:y^y 

For the second one we use the simple projection 7r(int**) = 2: 

8: s{y)^s{y) 

10: s{y)^y 

After removing the strictly decreasing pair 10, we are left with 8. Since the 
restriction of the dependency graph to the remaining pair 8 contains no SCCs, 
the TRS is terminating. 

An empirical evaluation of the subterm criterion can be found in Section 6. 

4 Reduction Pairs and Argument Filterings 

What to do with cycles C of the dependency graph that cannot be handled by 
the criterion of the preceding section? In the dependency pair approach one uses 
a pair of orderings (>, >) that satisfy the properties stated below such that (1) 
all rules in TZ are oriented by >, (2) all rules in C are oriented by > U >, and 
(3) at least one rule in C is oriented by >. 

Definition 15. A rewrite preorder is a preorder (i.e., a transitive and reflexive 
relation) on terms which is closed under contexts and substitutions. A reduction 
pair (>, >) consists of a rewrite preorder > and a compatible well-founded order 

> which is closed under substitutions. Compatibility means that the inclusion 

> • > C > or the inclusion > • > C > holds. 

Since we do not demand that > is the strict part of the preorder >, the 
identity ^ • > = > need not hold, although the reduction pairs that are used in 
practice do satisfy this identity. 

A typical example of a reduction pair is (>ipo, >ipo)> where >ipo is the lexi- 
cographic path order induced by the (strict) precedence > and >ipo denotes its 
reflexive closure. Both >ipo and >ipo are closed under contexts and the identity 
^ipo ‘ ^ipo ~ ^ipo holds. 

A general semantic construction of reduction pairs, which covers polyno- 
mial interpretations, is based on the concept of algebra. If we equip the car- 
rier A of an algebra A = (A, {/^}/g;r) with a well-founded order > such 
that every interpretation function is weakly monotone in all arguments (i.e.. 
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fA{xi, ■■■,Xn) ^ fAivi, ■ • ■ , J/n) whenever Xi ^ y* for all 1 < i < n, for every 
n-ary function symbol f £ T) then >^) is a reduction pair. Here the rela- 
tions ~>A and are defined as follows: s ~>a t if [o;]^(s) ^ [ct]^(f) and s >a t 
if [a]yi(s) > [a]A{t), for all assignments a of elements of A to the variables in s 
and t ([a]^(-) denotes the usual evaluation function associated with the algebra 
A). In general, the relation >a is not closed under contexts, is not a partial 
order, and >a is not the strict part of ~>a- Compatibility holds because of the 
identity >.4 ’ >.4 = >.4- 

In order for reduction pairs like (>ipo, >ipo) whose second component is 
closed under contexts to benefit from the fact that closure under contexts is 
not required, the conditions (1), (2), and (3) mentioned at the beginning of this 
section may be simplified by deleting certain (arguments of) function symbols 
occurring in TZ and C before testing orientability. 

Definition 16. An argument filtering for a signature T is a mapping tt that 
assigns to every n-ary function symbol f G T an argument position i G {I, . . . ,n} 
or a (possibly empty) list [ii, . . . , im] of argument positions with 1 ^ ii < ■ ■ ■ < 
im ^ n. The signature consists of all function symbols f such that 7t(/) is 
some list [ti, . . . , im], where in Tt^ the arity of f is m. Every argument filtering 
7 T induces a mapping from T{T,V) to T(Ttx,V), also denoted by tt: 

{ t if t is a variable 

tt{U) ift = f{ti,...,trOandTT{f)=i 

/(7r(tiJ, . . . ,7r(ti^)) ift = f{ti,...,tn) andirif) = [ii,...,im\ 

Note that the simple projections of the preceding sections can be viewed as 
special argument filterings. 

Example 17. Applying the argument filtering tt with 7t(A) = 7t(V) = [ ] and 
7t(-') = [1] to the rewrite rules of our leading example results in the following 
simplified rules: 



1 : ->->x — >■ X 

2 : ^ 

3 : “'(a) — y V 

4: A -)> V 

5: A -)> V 

These rules are oriented from left to right by the lexicographic path order with 

precedence -■ > A > V (which does not imply termination of the original TRS.) 

We are now ready to state and prove the standard dependency pair approach 
to the treatment of cycles in the dependency graph. 

Theorem 18 ([9]). Let TZ be a TRS and let C be a cycle in DG(T^). If there 
exist an argument filtering tt and a reduction pair (>, >) such that tt(JZ) C >, 
7 J"(C) C > U >, and 7r(C)n> yf 0 then there are no C-minimal rewrite sequences. 
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Although the condition 7r(C) C > U > is weaker than tt{C) C >, in practice 
there is no difference since all reduction pairs that are used in automatic tools 
satisfy the inclusion > C >. 

Proof. Suppose to the contrary that there exists a C-minimal rewrite sequence: 

ti — Ml -^c t2 U2 ~^c ts ’ ’ ’ (2) 

We show that after applying the argument filtering tt we obtain an infinite de- 
scending sequence with respect to the well-founded order >. Let i ^ 1. 

— First consider the dependency pair step Ui -^c U+i. Since Ui the step 

takes place at the root positions and thus there exist a dependency pair 
I ^ r G C and a substitution a such that Ui = la and U+i = ra. Define the 
substitution as the composition of a and tt, i.e., cr^(a;) = Tr{a{x)) for every 
variable x. A straightforward induction proof reveals that Tr{ta) = 7r(t)(T7r 
for every term t. Hence n^Ui) = Tr{l)aT^ and 7r(ti+i) = 7r(r)(T^. From the 
assumption 7r(C) C > U > we infer that tt{1) > 7r(r) or tt{1) > 7r(r). Since 
both > and > are closed under substitutions, we have 7r(ui) > 7r(ti_|_i) or 
Tr{ui) > 7r(tj_|_i). As in the proof of Theorem 11, the latter holds for infinitely 
many i because of the assumption 7r(C) fl > 0. 

— Next consider the rewrite sequence U Ui. Using the assumption n{TZ) C 
>, we obtain 7r(tj) >* Tr{ui) and thus 7r(tj) > 7r(tti) as in the preceding case. 

So (2) is transformed into an infinite descending sequence consisting of > and > 
steps, where there are an infinite number of the latter. Using the compatibility of 
> and >, we obtain an infinite descending sequence with respect to >, providing 
the desired contradiction. □ 

Example 19. The argument filtering of Example 17 cannot be used to handle 
the remaining SCC {11, 12, 13, 14} in our leading example. This can be seen as 
follows. Because 7 t(V) = [ ], irrespective of the choice of 7 t(a 1*), variables y and z 
will no longer appear in the left-hand sides of the simplified dependency pairs. 
Hence they cannot appear in the right-hand sides, and this is only possible if we 
take 1, [1], or [ ] for 7 t(A**). The first two choices transform dependency pairs 13 
and 14 into rules in which the variable x appears on the right-hand side but not 
on the left-hand side, whereas the third choice turns all dependency pairs into 
the identity A** = A**. 

Since the original TRS is compatible with the multiset path order, it is no 
surprise that the constraints of Theorem 18 for both SCCs are satisfied by the 
full argument filtering tt (that maps every n-ary function symbol to [1, . . . ,n]) 
and the reduction pair (>mpo, >mpo) with the precedence -i > A > V. However, 
it can be shown that there is no argument filtering tt such that the resulting 
constraints are satisfied by a polynomial interpretation or the lexicographic path 
order. 

Observe that the proof of Theorem 18 does not use the fact that C-minimal 
rewrite sequences start from terms in 7(|,. In the next section we show that 
by restoring the use of minimality, we can get rid of some of the constraints 
originating from TZ. 
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5 Usable Rules 



More precisely, we show that the concept of usable rules which was introduced in 
[1] to optimize the dependency pair method for innermost termination, can also 
be used for termination. The resulting termination criterion is stronger than 
previous results in this area ([10,23]). We start by recalling the definition of 
usable rules. 



Definition 20. We write f >■ g if there exists a rewrite rule I ^ r G TZ such 
that f = root(/) and g is a defined function symbol in iFun(r). For a set Q of 
defined function symbols we denote by TZ\Q the set of rewrite rules I ^ r G TZ 
with root(l) G G- The set U{t) of usable rules of a term t is defined as TZ\{g \ 
f ►* g for some f G iFun(t)}. Finally, if C is a set of dependency pairs then 

U{C) = IJ U{r) 

I ^ r gC 

Example 21. None of the dependency pairs that appear in an SCC in our leading 
example have defined symbols in their right-hand sides, so for both SCCs the set 
of usable rules is empty. The same is true for the TRSs of Examples 13 and 14. 

The following definition is the key to our result. It is a variation of a similar 
definition in Urbain [23], which in turn is based on a definition of Gramlich [13]. 

Definition 22. Let TZ be a TRS over a signature T and let G Q IF- The in- 
terpretation Ig is a mapping from terminating terms in T{E^,V) to terms in 
T(.7^#U{nil , cons},V), where nil and cons are fresh function symbols, inductively 
defined as follows: 



{ t if t is a variable 

f{Ig{ti),...,Ig{tn)) ift = ffti ,.. . ,t„) and f ^G 

cons(/(U(ti),...,/g(t„)),t') ift = f{ti,...,tn) andfGG 

where in the last clause t' denotes the term order({/g(n) | t -Gn n}) with 



order(r) 



nil ifT = 0 

cons(f, order(T \ {t})) ift is the minimum element ofT 



Here we assume an arbitrary but fixed total order on T{E'^ U {nil, cons}, V). 

Because we deal with finite TRSs, the relation is is finitely branching 
and hence the set {u \ t -Gqz uj of one-step reducts of t is finite. Moreover, 
every term in this set is terminating. The well-definedness of Ig now follows by 
a straightforward induction argument. The difference with Urbain’s definition is 
that we insert f{Ig{ti), . . . , /g(t„)) in the list t' when f G G- This modification 
is crucial for obtaining Theorem 29 below. 
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In the following Cs denotes the TRS consisting of the two projection rules 

cons(a;, y) ^ x 
cons(a;, y) ^ y 

These rules are used to extract elements from the lists constructed by the inter- 
pretation Ig. To improve readability, we abbreviate cons(ti, . . . cons(t„, nil) . . . ) 
to [ti, . . . ,tn] in the next example. 

Example 23. Consider the non-terminating TRS TZ consisting of the following 
three rewrite rules: 

1: a; -I- 0 — > 0 

2: a; X 0 0 

3: XX s{y) — >■ (x -I- 0) x s(y) 

There are two dependency pairs: 

4: XX** s{y) — >■ (x -I- 0) x* s{y) 

5: XX** s{y) — >• x -I-** 0 

The dependency graph 

o 

4 ^ 5 

contains 1 cycle: C = {4}. The following is a C-minimal rewrite sequence: 

((0 -f 0) X 0) x** s(0) (((0 -f 0) X 0) -k 0) X** s(0) 

^ 7 ?, ((0 + 0) xO) x#s(0) 

^ 7^0 x»s(0) 

(0 + 0) x#s(0) 

~^TZ Ox** s(0) 

-^c ■ ■ ■ 

We have U{C) = {!}. Let Q be the set of defined symbols of TZ \ U{C), i.e., 
Q = {x}. Applying the definition of Ig yields 

Ig{Q X 0) = cons(/g(0) X /g;(0),order({/g(0)})) 

= cons(0 X 0, order({0})) 

= cons(0 X 0, cons(0, nil)) 

= [0x0, 0] 

and 

/e((0 + 0) X 0) = cons(/g(0 + 0) x /^(O), order({/g(0 x 0),/s(0)})) 

= cons((0 + 0) X 0,order({[0 x 0,0], 0})) 

= [(0 + 0) X 0,0, [0 X 0,0]] 
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if we assume that 0 is smaller than [0 x 0, 0] in the given total order. Now, by 
applying Ig to all terms in the above C-minimal rewrite sequence, we obtain the 
following infinite rewrite sequence in IA{C) U C U 

[(0 + 0) X 0,0, [0 X 0,0]] x#s(0) -^c ([(0 + 0) x 0,0, [0 x 0,0]] + 0) x“s(0) 

^u(c) [(0 + 0)x0,0,[0x0,0]]x»s(0) 
0x#s(0) 

(0 + 0)x«s(0) 

~^u(C) 0 X* s(0) 

~^c 



We start with some preliminary results. The first one addresses the behaviour 
of Ig on instantiated terms. The second states that Ig preserves any top part 
without t/-symbols. 

Definition 24. If a is a substitution that assigns to every variable in its domain 
a terminating term then we denote the substitution that assigns to every variable 
X the term Ig{u{x)) by ajg. 

Lemma 25. Let TZ be a TRS over a signature T and let Q <Z T. Let t be a term 
and cr a substitution. If ta is terminating then Ig{ta) -^Ce ^ 

not contain Q-symbols, Ig{ta) = tajg. 

Proof. We use induction on t. If t is a variable then Igfta) = Ig{a{t)) = tajg. 
Let t = f{ti, . . . , tn). We distinguish two cases. 

1- f ^ G then Ig{ta) = f{Ig{tia),...,Ig{tn<j)). The induction hypothesis 
yields Igftia) ~^Cs ^i^ig for 1 ^ t ^ n and thus 

Ig {t<J^ ^Cs f (f J ' • ' J trflG Jg ) tCjg 

If there are no t/-symbols in ti, . . . , then we obtain Igftio) = tiUig for all 
1 ^ t ^ n from the induction hypothesis and thus Ig (ta) = taig . 

2. If f G G then 

Ig{ta) = cons(/(/g(tiCT), . . . , /g(t„cr)), t') -^ce ■■■, Ig{tn<T)) 

for some term t'. We obtain f{Ig{tia), . . . ,Ig{tn(j)) ~^Ce fo 

preceding case and thus Ig{ta) tajg as desired. 

□ 



The preceding lemma is not true for Urbain’s interpretation function. 

Lemma 26. Let TZ be a TRS over a signature T and let G Q TF. If t = 
C\ti , . . . ,t„] is terminating and the context C contains no G-symbols then Ig{t) = 

C[Ig{ti), ■ . ■ ,Ig{tn)]. 
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Proof. Let t' be the term C[xi, . . . , x„] where x\, . . . ,Xn are fresh variables. We 
have t = t'a for the substitution a = {xi i— >■ ti | 1 ^ i ^ n}. The preceding 
lemma yields Ig{t) = t'ajg. Clearly tV/g = C[Ig{ti), Ig{tn)]. □ 

The next lemma states an easy connection between usable rules and defined 
symbols of the other rules. 

Lemma 27. Let TZ be a TRS over a signature T and let C C DP(T^). Further- 
more, let G be the set of defined symbols ofTZ\U{C). 

1. Tl = U{C)\J{'ll\g). 

2. If I ^ r G U{C) then r contains no G -symbols. 

Proof. The first statement is obvious. For the second statement we reason as 
follows. Suppose to the contrary that r contains a function symbol g G G. We 
have I ^ r G U{f) for some s — >■ t G C. So there exists a function symbol 
/ G iFun(t) such that / ►* root(^). We have root(l) ► 5 by the definition of ► 
and hence also / ►* g. Therefore 7Zl{g} (=U{f) C U{C). So 5 is a defined symbol 
of a rule in U{C). This contradicts the assumption that g G G. □ 

The following lemma is the key result for the new termination criterion. It 
states that rewrite steps in TZ are transformed by Ig into rewrite sequences in 
U{C) UCs, provided G is the set of defined symbols oiTZ\U{C). 

Lemma 28. Let TZ be a TRS over a signature T and let C C DP(7?.). Fur- 
thermore, let G be the set of defined symbols of TZ\U{C). If terms s and t are 
terminating and s -Gn t then Ig{s) -^^(^c)uCs Ig{t). 

Proof. Let p be the position of the rewrite step s -G-ji t. We distinguish two 
cases. 

— First suppose that there is a function symbol from ^ at a position q ^ p. In 

this case we may write s = C[si, . . . , Sj, . . . , s„] and t = . . . ,U, . . . , s„] 

with Si -G-jz ti, where root(sj) G G and the context C contains no t/-symbols. 
We have Ig{si) -Gcg order({/g(M) | Si -Gn m}). Since Sj -Gn ti, we can 
extract Ig{ti) from the term order({Jg(tt) | Si -Gn m}) by appropriate Cs 
steps, so Ig{si) — Ig{ti). We now obtain Ig{s) Ig{t) from Lemma 26. 

— In the other case s = C[si, . . . , Sj, . . . , s„] and t = . . . ,fi, . . . , Sn] with 

Si -G-jz ti, where root(si) ^ G and the context C contains no t/-symbols. 
Since root(si) ^ G the applied rewrite rule I — >■ r in the step Sj ti must 
come from U{C) according to part 1 of Lemma 27. Let a be the substitution 
with 2?om(cr) C Var(Z) such that Si = la and ti = ra. According to part 
2 of Lemma 27, r contains no t/-symbols and thus we obtain Ig{si) ~^Ce 
lajg and Igfti) = rajg from Lemma 25. Clearly lajg ~^u(C) and thus 
Ig{si) -^^(^c)uCs Lemma 26 now yields the desired Ig{s) -^^(^c)uCs 

Ig{t). ' □ 

After these preparations, the main result^ of this section is now easily proved. 
^ This result has been independently obtained by Thiemann et al. [21]. 
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Theorem 29. Let TZ be a TRS and let C he a cycle in DG(7?.). If there exist an 
argument filtering tt and a reduction pair (^, >) such that tt(U{C) UCf:) C >, 
C > U >, and tt{C)C\> ^ 0 then there are no C-minimal rewrite sequences. 

Proof. Suppose to the contrary that there exists a C-minimal rewrite sequence: 

ti U\ -^c t2 U2 ~^c ts ’ ’ ’ ( 3 ) 

Let G be the set of defined symbols of TZ\U{C). We show that after applying 
the interpretation Ig we obtain an infinite rewrite sequence in U{C) UCf: UC in 
which every rule of C is used infinitely often. Since all terms in (3) belong to 
7^, they are terminating with respect to TZ and hence we can indeed apply the 
interpretation Ig. Let i ^ 1. 

— First consider the dependency pair step Ui -^c ti+\. There exist a depen- 
dency pair I ^ r G C and a substitution cr such that Ui = la and ti+i = ra. 
We may assume that T>om{a) C Var(Z). Since Ui G 7^, a{x) is terminat- 
ing for every variable x G Var(l). Hence the substitution a/g is well-defined. 
Since r lacks t/-symbols by Lemma 27, we have Ig (ra) = raig by Lemma 25. 
Furthermore, Ig(la) ~^Ce ^7 Lemma 25. Hence 

Ig(ut) ~^ce ^^ig raig = Ig(U+i) 

— Next consider the rewrite sequence I Ui. Because all terms in this 

sequence are terminating, we obtain Ig^tf) Ig(ui) by repeated 

applications of Lemma 28. 

Next we apply the argument filtering tt to all terms in the resulting infinite 
rewrite sequence in 14(C) UCsUC. Because of the assumptions of this theorem, 
we can simply reuse the proof of Theorem 18 (where 14(C) U Cs takes the place 
of TZ) and obtain the desired contradiction with the well-foundedness of >. □ 

Since 14(C) in general is a proper subset of TZ, the condition tt(14(C)) C > is 
easier to satisfy than the condition tt(TZ) C > of Theorem 18. What about the 
additional condition tt(C£) C >? By choosing Tr(cons) = [1,2] the condition re- 
duces to cons(a;, y) ^ x and cons(a;, y) > y. Virtually all reduction pairs that are 
used in termination tools can be extended to satisfy this condition. For reduction 
pairs that are based on simplification orders, like (>ipo,>ipo)) this is clear. A 
sufficient condition that makes the semantic construction described in Section 4 
for generating reduction pairs work is that each pair of elements of the carrier 
has a least upper bound. For interpretations in the set N of natural numbers 
equipped with the standard order this is obviously satisfied. The necessity of the 
least upper bound condition follows by considering the term algebra associated 
with the famous rule f(a.b,a;) — >■ f(x,x,x) of Toyama [22] equipped with the 
well-founded order 

As a matter of fact, due to the condition tt(C£) C >, Theorem 29 provides 
only a sufficient condition for the absence of C-minimal rewrite sequences. A 
concrete example of a terminating TRS that cannot be proved terminating by 
the criterion of Theorem 29 will be presented at the end of this section. 
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Example 30. Let us take a final look at the SCC {11, 12, 13, 14} in our leading 
example. There are no usable rules. By taking the linear polynomial interpreta- 
tion A*N(a;, y) = X + y and VN(a;, y) = x + y + 1 the involved dependency pairs 
reduce the following inequalities: 



11 


X + y + z + 1 > X + y 


12 


X + y + z + 1 > X + z 


13 


X + y + z + 1 > X + y 


14 


X + y + z + 1 > X + z 


Hence there are no C-minimal rewrite sequences for any nonempty subset C C 
{11, 12, 13, 14} and we conclude that the TRS is terminating. 


The modularity result in 


Giesl et al. [10] can be expressed as the version of 



Theorem 29 where U{C) is replaced by 

U'{C) = IJ Wit) 

I ->■ r €C 

The mapping (•)'': — >• T replaces the dependency pair symbol p at the root 

of its argument by the original defined function symbol / and U'{t) is computed 
like U{t) but with a different relation ►' that relates more function symbols: 
/ ►' 5 if there exists a rewrite rule I ^ r G TZ such that / = root(^) and g is a, 
defined function symbol in Eun{l) UlFun(r). 

Since hl{r) C C U{1^) C U'{1^) for every dependency pair ? — >• r, it is 

clear that U{C) is always a subset of U'{C). Very often it is a proper subset and 
that may affect the ability to prove termination. This will become clear from the 
experimental data in the next section. 

Example 31. If we adopt the above definition of usable rules then for the SCC 
{7, 8, 9, 10} in our leading example all five rewrite rules are usable whereas for 
the SCC {11,12,13,14} only rules 4 and 5 are usable. For the SCC {9} in 
Example 13 all seven rewrite rules and for the SCC {10,11,12} rules 3-7 are 
usable. Finally, for the SCC {7} in Example 14 rules 1 and 2 are usable whereas 
for the SCC {8, 10} all six rewrite rules are usable. 

Combining the two main results of this paper, we arrive at the following 
corollary. 

Corollary 32. A TRS TZ is terminating if for every eycle C in DG(JZ) one of 
the following two conditions holds: 

— there exists a simple projection tt forC such that 7r(C) C > and tt{C)C\\> yf 0, 

— there exist an argument filtering tt and a reduction pair (>, >) such that 

tt{U{C) U Cs) C >, 7t(C) C > U >, and tt{C) fl > yf 0. □ 

The final example in this paper shows that the reverse does not hold. This is 
in contrast to Theorem 18, which provides a sufficient and necessary condition 
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for termination. The reason is that termination of a TRS TZ is equivalent to the 
termination of 7^ U DP(T^), a result due to [1] (see [18] for a simple proof based 
on type introduction). 

Example 33. Consider the terminating TRS TZ consisting of the following two 
rewrite rules: 



1: f(s(a),s(b),a;) — >■ f(a;,x,a;) 

2: g(f(s(a;),s(?/),z)) ^ g(f(a;,y,z)) 

There are three dependency pairs: 

3: f**(s(a),s(b),a;) — >■ 

4: g#(f(s(a;),s(y),z)) ^ g\f{x,y,z)) 

5: g#(f(s(a;),s(y),z)) f“(a;,y, 2 ;) 

The dependency graph 

n 

3 ^ 5 ^ 4 

contains 1 cycle: C = {4}. The only simple projection for g** transforms 4 into 
4: f(s(a;),s(?/), 2 ) f(a;,j/,z) 

and f{x,y,z) is not a proper subterm of f (s{x) , s{y) , z) . We have U{C) = {1}. 
We claim that the inclusions UCg) C > and 7t(C) C > are not satisfied 

for any argument filtering tt and reduction pair (^,>). The reason is simply 
that the term t = g'^{f{u,u,u)) with u = s(cons(s(a), s(b))) admits the following 
cyclic reduction in U{C) U Cs U C: 

t ~^c g**(f(cons(s(a),s(b)),cons(s(a),s(b)),'u)) 

~^Cs g“(f(s(a), cons(s(a), s(b)), u)) 
g“(f(s(a),s(b),M)) 

~^U(C) t 



6 Benchmarks 

We implemented the new criteria presented in the preceding sections in the Ty- 
rolean Termination Tool [16], the successor of the Tsukuba Termination Tool [15]. 

We tested the effect of the improvements described in the previous sections 
on 223 examples from three different sources: 

— all 89 terminating TRSs from Arts and Giesl [2], 

— all 23 TRSs from Dershowitz [7], 

~ all 119 terminating TRSs from Steinbach and Kiihler [19, Sections 3 and 4]. 




266 



Nao Hirokawa and Aart Middeldorp 



Eight of these TRSs appear in more than one collection, so the total number is 
223. In all experiments we used the EDG* approximation [17] of the dependency 
graph and, when the lexicographic path order is used, the divide and conquer 
algorithm described in the full version of [14] is used to search for suitable argu- 
ment filterings. The experiments were performed on a PC equipped with a 2.20 
GHz Mobile Intel Pentium 4 Processor - M and 512 MB of memory. 



Table 1. Summary. 





s 


1 


sl 


ul 


sul 


success 


128 


133 


149 


144 (138) 


152 (151) 




0.01 


0.07 


0.01 


0.01 (0.02) 


0.01 (0.01) 


failure 


95 


90 


74 


79 (85) 


71 (72) 




0.01 


0.01 


0.01 


0.01 (0.02) 


0.01 (0.02) 


timeout 


0 


0 


0 


0(0) 


0(0) 


total time 


1.72 


10.49 


2.33 


2.31 (4.46) 


2.07 (2.80) 






P 


sp 


up 


sup 


success 




139 


180 


179 (148) 


189 (185) 






0.32 


0.37 


0.28 (0.33) 


0.25 (0.40) 


failure 




77 


39 


44 (71) 


34 (37) 






0.52 


0.33 


0.03 (0.66) 


0.03 (0.59) 


timeout 




7 


4 


0(4) 


0(1) 


total time 




294.13 


198.83 


51.30 (215.93) 47.79 (125.97) 



The results are summarized in Table 1. The letters in the column headings 
have the following meaning: 

s the subterm criterion of Section 3, 
u the usable rules criterion of Section 5, 

1 lexicographic path order in combination with the argument filtering heuris- 
tic that considers for an n-ary function symbol the full argument filtering 
[1, . . . , n] in addition to the n collapsing argument filterings 1, . . . , n, 
p polynomial interpretation restricted to linear polynomials with coefficients 
from {0, 1}; the usefulness of the latter restriction has been first observed in 
[ 11 ]. 

We list the number of successful termination attempts, the number of failures 
(which means that no termination proof was found while fully exploring the 
search space implied by the options), and the number of timeouts, which we set 
to 30 seconds. The numbers in parentheses refer to the usable rules criterion 
of [10] which is described in the latter part of Section 5. The figures below 
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the number of successes and failures indicate the average time in seconds. It 

is interesting to note that the subterm criterion could handle 279 of the 395 

generated SCCs, resulting in termination proofs for 128 of the 223 TRSs. 
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Abstract. Based on the simply typed term rewriting framework, induc- 
tive reasoning in higher-order rewriting is studied. The notion of higher- 
order inductive theorems is introduced to reflect higher-order feature of 
simply typed term rewriting. Then the inductionless induction meth- 
ods in hrst-order term rewriting are incorporated to verify higher-order 
inductive theorems. In order to ensure that higher-order inductive the- 
orems are closed under contexts, the notion of higher-order sufficient 
completeness is introduced. Finally, the decidability of higher-order suf- 
ficient completeness is discussed. 



1 Introduction 

In a framework based on equational logic such as functional programming and 
algebraic specification, properties of a particular recursive data structure can be 
verified by induction. Once an appropriate translation from a specification to a 
set of equational axioms has been established, inductive properties of the spec- 
ification can be proved using term rewriting. Automatically proving inductive 
theorems by term rewriting has been widely investigated since earlier works [5, 
8,17]. 

Higher-order functions are ubiquitous in functional programming. However, 
they can not be expressed directly in usual term rewriting, and thus various 
frameworks of higher-order extension of term rewriting have been proposed in 
the literature. In most of these frameworks, termination proof is difficult to 
cope with, and consequently only few attempts have been made to incorporate 
higher-order functions to inductive theorem proving. 

Simply typed term rewriting proposed by Yamada [21] is a simple extension 
of first-order term rewriting which incorporates higher-order functions. Equa- 
tional specification using higher-order functions, like functional programs, are 
naturally expressed in this framework. In contrast to the usual higher-order 
term rewriting frameworks [6, 9, 15], simply typed term rewriting dispenses with 
bound variables. In this respect, simply typed term rewriting reflects limited 
higher-order features. On the other hand, simply typed term rewriting frame- 
work is succinct and theoretically much easier to deal with. 
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of Science, No. 14580357, No. 14780187 and a grant from Ministry of Education, 
Culture, Sports, Science and Technology, No. 15017203. 
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In this paper, we study inductive theorem proving in higher-order rewriting 
based on simply typed term rewriting framework. We show that there is an 
equation that is intuitively inductively valid, but is inductively invalid in terms of 
first-order inductive reasoning. We propose the notion of higher-order inductive 
theorem that reflects higher-order feature more reasonably. Then inductionless 
induction methods in first-order term rewriting are incorporated to simply typed 
term rewriting to verify higher-order inductive theorems. It also turns out that 
a higher-order inductive theorem is not always closed under contexts. To ensure 
that higher-order inductive theorems are closed under contexts, we introduce the 
notion of higher-order sufficient completeness. The decidability of higher-order 
sufficient completeness for a subclass of simply typed term rewriting systems is 
shown by introducing the notion of higher-order quasi-reducibility. 

2 Preliminaries 

In this section, we first fix our notation on abstract reduction systems, and recall 
a result about equivalence of abstract reduction systems. Based on this equiva- 
lence condition, we review notions and results on inductive theorem proving in 
first-order term rewriting. We assume the reader to be familiar with abstract 
reduction systems and (first-order) term rewriting [4, 19]. 

2.1 Equivalence of Abstract Reduction Systems 

An abstract reduction system {ARS, for short) is a pair (A,^) of a set A and 
a binary relation ^ on A. The reflexive transitive closure and the equivalence 
closure of ^ are denoted by and respectively. An element a G A is 
reducible when a ^ 6 for some b € A; otherwise, it is normal or in normal form. 
The sets of reducible and normal elements of an ARS A are denoted by RED (A) 
and NF(A), respectively. Elements a G A and 5 G A are joinable if a —>* c*^b 
for some c G A. An ARS A is weakly normalizing (WN(A)) if for any a G A 
there exists b G NF(A) such that a — >* 6, is terminating or strongly normalizing 
(SN(A)) if there is no infinite reduction sequence, and is confluent (CR(A)) if 
a,b ^ A are joinable whenever a c — >* b for some c G A. 

The following proposition provides a sufficient condition for the equivalence 
of two ARSs, which is the basis of all our results on inductive theorem proving 
(c.f. [10,20]). 

Proposition 1 (equivalence condition for ARSs). Let Ai = (A, ^i) and 

A 2 = (A, ^ 2 ) be ARSs such that — >1 C ^ 2 - Suppose that the following con- 
ditions are satisfied: (1) WN(Ai), (2) CR(A 2 ), (3) NF(Ai) C NF(A 2 ). Then 
^1 — ^ 2 - 

The third condition above is equivalent to RED(A 2 ) C RED(Ai). It is often 
useful to consider a set X C RED(Ai) of intermediate elements reachable from 
RED(A2). 

Proposition 2 (inclusion of normal elements). Let Ai = (A,^i) and 
A 2 = (A,— > 2 ) be ARSs such that — >1 C ^ 2 - Suppose there exists a subset 
A of A such that (1) for any a G RED(A 2 ) there exists b G X such that a b, 
(2) A C RED(Ai). Then NF(Ai) C NF(A 2 ). 
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In this paper, we consider two instances of the proposition above in order 
to give criteria for the inclusion between two sets of normal forms. One is an 
abstraction of the use of coverset and the other corresponds sufficient complete- 
ness. 

Proposition 3 (coverset in ARS). Let Ai = (A, ^i) and A 2 = (A, ^ 2 ) be 
ARSs such that — >1 C ^ 2 - Suppose there exists a collection C of subsets of A 
such that (1) for any a G RED(A 2 ) there exist C G C and b G C such that 
a b, (2) C C RED(Ai) for any C G C. Then NF(Ai) C NF(A 2 ). 

Proof. Take A = IJC in Proposition 2. □ 

Proposition 4 (sufficient completeness in ARS). Let Ai = (A,^i) and 
A 2 = (A,— > 2 ) be ARSs such that — >1 C ^ 2 - Suppose there exists a subset C of 
A such that (1) for any a G RED(A 2 ) there exists b G A\C such that a 6, 
(2) A \ C C RED(Ai). Then NF(Ai) C NF(A 2 ). 

Proof. Take A = A \ C in Proposition 2. □ 



2.2 First-Order Inductive Theorem Proving 

We denote by T(F, V) the set of many-sorted terms over a set F of sorted 
function symbols and the set V of sorted variables. An equation is a pair of 
terms of the same sort, written as I ~ r. The sets of variables occurring in a 
term t and in an equation I « r are written as V(t) and « r). A ground 
term is a term without variables. A substitution 9 is said to be ground when 
9(x) is ground for every variable in its domain Dom(0) = {x \ x ^ We 

put subscript g to denote ground terms, substitutions, and contexts, e.g. tg, 9g, 
and Cg. 

Let TZ = {S, F, R) be a many-sorted term rewriting system {many-sorted 
TRS, for short) where S' is a set of sorts, F is a set of function symbols, and R is 
a set rewrite rules. An equation ? « r is an inductive theorem of TZ if I9g r9g 
holds for all ground substitutions 9g such that V{1 ~ r) C Dom(6*g). Obviously, 
(T(F, 0), forms an ARS. We denote NF((T(F, 0 ),^t?,)), WN((T(F, 0), ^ 7 ?, 
)), etc. by NFg(F), WNg(7?.), etc., respectively. Proposition 1 gives a sufficient 
condition for an equation to be an inductive theorem of a many-sorted TRS. Let 
TZ = {S, F, R) be a many-sorted TRS and I « r an equation on T(F, V). In order 
to prove the equation Z « r to be an inductive theorem oiTZ, we often consider 
the extended TRS TZ' = (S', F, i? U {/ ^ r}), which we denote by F U ^ r}. 

Proposition 5 (inductive theorem proving). Let F be a many-sorted TRS 
and TZ' — TZ U {I r}. Suppose the following conditions are satisfied: 
(1) WNg(F), (2) CRg(F'), (3) NFg(F) C NFg(F'). Then ^ « r is an induc- 
tive theorem of TZ. 



Proof Let TZ = (S,F,R). Take Ai = (T(F,0),^7^) and A 2 = (T(F,0),^K') 
in Proposition 1. □ 
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To check condition (3) of the proposition efficiently, the notion of coverset 
is used. For a many-sorted TRS TZ and a term t, a set 0 of substitutions is a 
coverset of substitutions for t w.r.t. TZ if for any ground substitution 9g satisfying 
V(t) C Dom(6*g), there exists a substitution a G 0 and a ground substitution 9'g 
such that t9g ta9g. 

Proposition 6 (inductive theorem proving with coverset). Let 7^ be a 

many-sorted TRS and TZ' = TZLI {I ^ r}. Suppose that the following conditions 
are satisfied: (1) WNg(T^), (2) CRg(7^'), (3) la S RED(T^) for all cr G 0 where 
0 is a coverset of substitutions for I w.r.t. TZ. Then I « r is an inductive theorem 
of 7^. 

Proof. We use Proposition 5. The inclusion NFg(T^) C NFg(7^') follows from 
condition (3) by taking C = {RED^ | ct G 0} in Proposition 3 where RED^ = 
{Cg[la9g] I Y{la) C Dom(6*g)}. □ 

Another condition is obtained by strengthening condition (1). Let us divide 
the set of function symbols into two disjoint sets as follows. We say a function 
symbol / is a defined symbol of a many-sorted TRS (S', F, i?) if / = root(?) 
for some I ^ r € R; otherwise, / is a constructor symbol. The sets of defined 
and constructor symbols are denoted by and Fc, respectively. A many-sorted 
TRS TZ is sufficiently complete (SC(7^)) if for any ground term Sg there exists a 
ground constructor term tg such that Sg tg. 

Proposition 7 (inductive theorem proving with SC). Let 7^ be a many- 
sorted TRS and TZ' = TZU{1 r}. Suppose the following conditions are satisfied: 
(1) SC(T^), (2) CRg(7^'), (3) I contains a defined symbol. Then ^ « r is an 
inductive theorem of TZ. 

Proof. Let TZ = (S,F,R). We use Proposition 5. By definition, SC{TZ) implies 
WNg(T^). By SC{TZ), every ground term containing a defined symbol is reducible. 
Hence, the inclusion NFg(T^) C NFg(7^') follows from condition (3) by taking 
C = T(Fc,0) in Proposition 4. □ 

It is known that when WNg(T^) holds, it is decidable whether SC{TZ) for 
possibly non-left-linear TZ (see, e.g., [7,18]). 

3 Higher-Order Inductive Theorems 

In this section, we first recall the basic notions and terminology of simply typed 
term rewriting, which were introduced in [21]. Then we introduce the notion of 
higher-order inductive theorems, which is suitable for STTRSs. 

3.1 Simply Typed Term Rewriting Systems 

For a set B of basic types, the set of simple types is the smallest set ST(73) 
such that (1) B C ST(73), and (2) n x • • • x r„ ^ tq G ST(i?) whenever 
To, Ti, . . . , T„ G ST(73). A non-basic type is called a higher-order type. Note that 
our definition allows multiple basic types whereas the original one in [21] is based 
on a single basic type. When clear, simple type is abbreviated as type. 
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Each constant or variable is associated with its type; the sets of constants 
and variables of type r are denoted by and , respectively. S and V stand 
for the sets of all constants and variables, respectively. We assume that V'^ is 
countably infinite for each simple type t. The sets of variables of basic types and 
of higher-order types are denoted by and V^, respectively. 

The set T(I7, Vy of simply typed terms of type t over S and V is defined as 
follows: (1) C T{S,vy, and (2) if s € T(Z', (n > 1) and 

ti G T(T', vy* for alH G n} then (s G T(i7, Vy . A simply typed 

term t has type t (denoted by V) when t G T(A, Vy . It is clear that each simply 
typed term has a unique type; thus t is also referred to as the type of t (denoted 
by type(t)). The set of all simply typed terms is denoted by T{S,V). The set 
of simply typed terms of basic types and of higher-order types are denoted by 
T'°{S,V) and T*'(A’, E), respectively. 

The head symbol of a simply typed term is defined as follows: (1) head(t) = t 
if t G AU E, and (2) head((s ti ■ ■ ■ tn)) = head(s). A simply typed term is linear 
if no variable occurs more than once in it. A simply typed equation is a pair of 
simply typed terms of the same type, written as ? « r. The sets of variables 
occurring in a term t and in an equations I « r are written as V(t) and Y{1 ~ r), 
respectively. 

A context is a simply typed term with a special symbol □ (hole) . If a context 
C has n holes and t\, . . . ,tn are simply typed terms then C[ti, . . . , t„] is the 
simply typed term obtained from C by replacing holes with ti, . . . , from left 
to right. A term s is a subterm of a term t (denoted by s < t) if t = C[s] for some 
context C with precisely one hole. A substitution is a mapping a : V ^ T(A, V) 
that satisfies the following conditions: (1) Dom(<T) = {x \ a(x) yf x} is finite, 
and (2) for every variable x, x and a(x) have the same type. The homomorphic 
extension of a to T(A, V) is also denoted by a. As usual, a{t) is written as ta. 

A simply typed equation ? « r is called a simply typed rewrite rule if head(?) G 
S and V(r) C V{1). A simply typed rewrite rule I « r will be often written 
as Z — > r. A triple {B, B, R) consisting of a set B of basic types, a set B of 
constants, and a set R of simply typed rewrite rules is called a simply typed 
term rewriting system (STTRS, for short). The rewrite relation induced by 
a simply typed term rewriting system TZ = {B, B, R) is the smallest relation over 
B{B,V) satisfying the following conditions: (1) Zcr ^ 7 ^ r<j for all Z ^ r G i? and 
for all substitutions ct, and (2) if s t then C[s] C[t] for all contexts C. 
A constant symbol / is a defined symbol of 7^ if / = head(Z) for some I ^ r £ R; 
otherwise, / is a constructor symbol. The sets of defined and constructor symbols 
are denoted by Ad and Be, respectively. 



Example 1 (simply typed term rewriting). Let TZ = (B,B,R) be an STTRS 
where B = {N,NList}, B = { 0^, jjNList^ . NxNList^NList^ map(N^ 

N)xNList^NList^ ^(n^n)x(n^n)^(n^n)^ }, and 



R = 



map F [] 
map F (x : xs) 
(FoG) X 
twice F 



{] 

{F x) : (map F xs) 
F (G x) 

FoF 
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Here is an example of rewrite sequence of TZ: 



map (twice s) (0 : []) 




map (s o s) (0 : []) 

((s o s) 0) : (map (s o s) []) 
(s (s 0)) : (map (s o s) []) 
(s (s 0)):[]. 



3.2 Inductive Theorems of STTRSs 

One may define the notion of inductive theorem of an STTRS exactly the same 
as that of a many-sorted STTRS, that is, an equation I « r is an inductive 
theorem of an STTRS TZ if Wg r9g holds for any ground substitution 9g such 
that V(l « r) C Dom(6*g). Henceforth, we call this notion of inductive theorem 
first-order. Propositions 5 and 7 are extended to STTRSs in the obvious way. 

Example 2 (first-order inductive theorem proving). Let TZ = {B,S,R) be an 
STTRS where R = { N, NList }, R = { O’^, : NxNList^NList^ 

append^L"*^'^L"*^NList^ ^gp(N^N)xNList^NList 

r map F [] ^ [] 

^ _ I map F (x : xs) {F x) : (map F xs) 

~ I append [] ys ys 

[ append (x : xs) ys x : (append xs ys) 

Let us now show that the equation 

e = map F (append xs ys) « append (map F xs) (map F ys) 

is a first-order inductive theorem of TZ. Let 7^' = 7^ U {e}. Using the method 
in [1] or [2] one can show that SN(7^') holds, and thus WNg(T^) follows. All 
critical pairs of TZ' are joinable. By SN(7?.') and the Critical Pair Lemma for 
STTRS [3], it follows that TZ' is confluent. Hence CRg(7?.'). One can show that 
O = {{a;s []}, {xs y : ys}} is a coverset of substitutions for the left-hand 

side of e w.r.t. TZ. It is easy to check (map F (append xs ys))a G RED(7?.) for 
any a G 0. Therefore, e is a first-order inductive theorem of TZ. 

As seen from the next example, the notion of first-order inductive theorem 
is inadequate for equational reasoning in STTRS because of the presence of 
higher-order terms. 

Example 3 (inadequateness of first-order inductive theorem). Let TZ = (R, F,R) 
be an STTRS where R = { N }, R = { 0^, }, and 

r ido 0 ^0 

R = < idg (s x) ^ s (idg x) 

[ idi X -i-x 

Consider whether the equation idg « idi is an inductive theorem of TZ. Since both 
idg and idi are ground, and idg idi does not hold, the equation idg « idi is 
not a first-order inductive theorem of TZ. 
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Since ido computes the same result as idi does for any argument of type N, 
it seems natural to regard the equation idg « idi inductively valid. 

Inductive theorems are mostly useful to verify properties of functional pro- 
grams, algebraic specification, etc. and from this point of view only “evaluation 
form” matters - since functional programs are evaluated in ground terms of ba- 
sic types, it is reasonable to define inductive theorems in higher-order rewriting 
those equations that are valid on the set of ground terms of basic types. 

Inductive theorems of a higher-order type are verified after turning them 
into an equation of basic type by appending fresh variables without changing its 
“inductive” meaning. 

Definition 1 (extensional form). 

1. Let t be a simply typed term of type rn x • • • x ^ (t 2 i x • • • x T 2«2 ^ 

• • • ^ (imi X • • • X Tmum ^ p) ' ' ' ) such that p is a basic type. An extensional 
form of t is a term ((• • • {{t xn ■ ■ ■ Xi„ J X 21 ■ • • x^n-z) '") Xmi • • • Xmn^) where 
Xii , . . . , Xmnm mutually distinct fresh variables. Clearly, any extensional 
form of a simply typed term has a basic type. The extensional form of t with 
fresh variables xn , . . . , Xm-a^ is written as ttan ■ 

2. Let 4>{si , . . . , Sn) be an expression containing simply typed terms si, . . . , s„ 

of the same type. The extensional form > ■ ■ ■ > Sn'lxn,...,x „^„^ ) 

of 4>{si , . . . , Sn) is obtained by replacing each simply typed term Si in the 
expression by Sitajn ’ where xn , . . . , Xmum. mutually distinct fresh 

variables. 

3. When the variables xu, ■ . ■ ,Xmnm important, we omit them and 

simply write, e.g., ft and . ■ . , Snt)- 

Example 4 (extensional form). An extensional form of map is map F xs, and 
an extensional form of o is (f o G) xs. An extensional form of the equation 
ido ~ idi is idg x « idi x. 

Definition 2 (higher-order inductive theorem). An equation 1 « r is a 

higher-order inductive theorem of an STTRS TZ if l)9g x(9g holds for all 
ground substitutions 9g such that V(lt « r")) C Dom(0g). 

The next theorem follows immediately from the definition of higher-order 
inductive theorem and Proposition 1. 

Theorem 1 (higher-order inductive theorem proving). Let TZ be an 

STTRS and TZ' = TZ^J {l( ^rf}. Suppose the following conditions are sat- 
isfied: (1) WN^(7^), (2) CR^(7^'), (3) NF^(7^) C NF^(7^'). Then ? « r is a 
higher-order inductive theorem of TZ. 

The notion of coverset of substitutions is extended to STTRS in an obvious 
way as follows. For an STTRS TZ and a simply typed term t, a set 0 of substi- 
tutions is a coverset of substitutions for t w.r.t. TZ if for any ground substitution 
9g satisfying V(t) C Dom(0g), there exists a substitution a G O and a ground 
substitution 9'^ such that t9g — ta9'g. 
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Theorem 2 (higher-order inductive theorem proving with coverset). 

Let TZ be an STTRS and 7^' = 7^U{^t Suppose the following conditions 

are satisfied: (1) WNg(T^), (2) CRg(7^'), (3) l]a G RED(T^) for all a € 0, where 
0 is a coverset of substitutions for I'l w.r.t. TZ. Then ^ « r is a higher-order 
inductive theorem of TZ. 

Example 5 (higher-order inductive theorem proving). Let us consider Example 3 
again. By taking an extensional form of the equation idg ~ idi, we obtain the 
equation idg a; « idi a;. Let TZ' = 7?. U {idg x idi a;}. Then WN^(7^) and 
CRg(7?.') are proved in the same way as Example 2. By taking the coverset 
of substitutions 0 = {{a: 0}, {a; s y}}, condition (3) is easily verified. 

Therefore, the equation idp ~ idi is a higher-order inductive theorem of TZ. 

The notion of sufficient completeness is extended to STTRS as follows. An 
STTRS TZ is sufficiently complete (SC(7^)) if for any ground term Sg of basic 
type there exists a ground constructor term tg of basic type such that Sg tg . 

Theorem 3 (higher-order inductive theorem proving with SC). Let TZ 

be an STTRS and TZ' = TZU {If ^rf}. Suppose the following conditions are 
satisfied: (1) SC(T^), (2) CRg(7?.'), (3) I contains a defined symbol. Then I « r 
is a higher-order inductive theorem of TZ. 



4 Monotone Higher-Order Inductive Theorem 



In contrast to the first-order inductive theorems, higher-order inductive theorems 
introduced in the previous section may not be monotone, that is, even if I « r 
is a higher-order inductive theorem of an STTRS, C[l] « C[r] may not be a 
higher-order inductive theorem depending on the choice of the context C - this 
observation is due to K. Kusakari. In this section, we study monotonicity of 
higher-order inductive theorems. 

Definition 3 (monotone higher-order inductive theorem). Let TZ be an 

STTRS. A higher-order inductive theorem I ks r ofTZ is monotone if C[l] « C[r] 
is a higher-order inductive theorem of TZ for any context C . 

First, let us examine examples of higher-order inductive theorems that are 
not monotone. 



Example 6. Let TZ = {B, E, R) be an STTRS such that R={N}, A’={ 0^, 

r (+ a;) 0 

^ ^ J (+ a;) (s y) 

The equation -|- (s 0) « s is an inductive theorem of TZ. However, f (-1- (s 0)) « f s 
is not, since f (-1- (s 0)) ^tz s 0 yf 0 f s. Thus the equation -|- (s 0) « s is not 
monotone. 



s ((-k x) y) 

0 

s 0 
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The key observation on what leads to non-monotonicity of higher-order in- 
ductive theorems is that ? « r is a higher-order inductive theorem implies only 
C[l]0g\ C[r]9g] but not necessarily {C[l])]ag {C[r])]<jg. Let us examine 

an example where such a desired implication seems satisfied. 



Example 1 (inductive theorem within a context). Consider the STTRS defined by 
7^ = (B, S,R) where B = { N, NList }, L" = { pNList^ .NxNList^NList^ 

-hN^N^N^ map(N^N)xNList^NList 



R = 



(+ 0) y 
(+ (s a;)) y 
map F [] 
map F (x : xs) 



s ((-h a;) y) 

[] 

(F x) : (map F xs) 



The equation -|- (s 0) « s is a higher-order inductive theorem of TZ. Consider the 
context C = map □ (0 : []). We are going to verify the equation C[+ (s 0)] « C[s] 
also is a higher-order inductive theorem. 

map (+ (s 0)) (0 : []) ((-h (s 0)) 0) : (map (+ (s 0)) []) 

(s ((+ 0) 0)) : (map (+ (s 0)) []) 

(s 0) : (map (d- (s 0)) []) 

- 7 ^ (s 0) : [] 

(s 0) : map s [] 
map s (0 : []) 



This rewrite sequence can be reconstructed from (-f (s 0)) 0 s 0 and 

mapF(0:[]) (F 0) : map F [] (F 0) : []. 

The observation above motivates the notion of higher-order sufficient com- 
pleteness. 

Definition 4 (higher-order sufficient completeness). 

1. Let t be a simply typed term such that t = C[F] for some F G V^. The 
occurrence of F is said to be expanded if the occurrence of F in t has the 
form t = C'[F(6] for some context C and a substitution 9. 

2. An STTRS TZ = {B,F,R) is said to be higher-order sufficiently complete 

(HSC(F)) if for any simply typed term s G there exists t G 

T*’(F, R'') such that s t and that either t has an expanded variable 
occurrence or t is a ground constructor term. 

Example 8 (higher-order sufficient completeness). Let TZ be the STTRS in Ex- 
ample 7, s = map F (0 : []), and t = (F 0) : []. The occurrence of variable F in 
s is non-expanded, while that of F in t is expanded. Using a result in Section 5, 
it will turn out that TZ is higher-order sufficiently complete. Indeed, we have 
s t G T*’(F, V'^) and t has an expanded variable occurrence. 
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Note that HSC(T^) implies SC(T^) since reduction preserves groundness. 
Hence the notion of higher-order sufficient completeness extends the notion of 
(first-order) sufficient completeness. 

Lemma 1 (sufficient condition for monotonicity). If an STTRS TZ sat- 
isfies SNg(T^) and HSC(T^), then every higher-order inductive theorem of TZ is 
monotone. 

Proof. Suppose Z « r is a higher-order inductive theorem. We have to show that 
C[l] « C[r] also is a higher-order inductive theorem. Let s = Cg[l9g, . . . ,l9g\ 
and t = Cg[r9g, . . . ,r9g\. We prove s t for all ground contexts Cg of 

basic type and ground substitutions 9g, which implies the desired result as a 
special case when Cg contains precisely one hole. The proof proceeds by well- 
founded induction on s w.r.t. If I and r have a basic type, then s t 

immediately follows from the assumption that Z « r is an inductive theorem. 
Consider the case that Z and r have a non-basic type. Let C be a context ob- 
tained from Cg by replacing all (possibly zero) expanded occurrences of holes 
with an arbitrary variable F whose type is the same as that of Z and r. Let 
a and t be substitutions satisfying a{F) = 19 g and t{F) = r9g. We have 
s = C'a[l9g, . . . ,l9g] and t = C'T[r9g, . . . ,r9g]. Since all occurrences of F in 
C' are expanded, the assumption that Z « r is a higher-order inductive theo- 
rem implies C'a[F , . . . , T’] C't[F, . . . , F]. By HSC(F), there exists a term 
u = Dg[F, . . . , F] with some ground context Dg such that C'a[F, . . . , F] u 
and either rt is a ground constructor term or there is an expanded occurrence of F 
in u. In the former case, Dg has no holes and hence both s = C'a[l9g , . . . , I9g] 
ua = Dg and t = C'T[r9g, . . . ,r9g\ C'cr[r0g, . . . , r6*g] ut = Dg are 
satisfied. In the latter case, the reduction sequence from C"cr[F, . . . , F] to u 
consists of at least one step, which implies the non-emptiness of the correspond- 
ing rewrite sequences from s to ua. By the induction hypothesis, we obtain 
ua = Dg[Wg , . . . , I9g] D g[r9 g , . . . , r9g] = UT. Hence, both s ua ut 
and t = C'T[r9g , . . . , r9g\ C'a[r9g , . . . , r9g\ ut are satisfied. In both 
cases, we obtained s □ 

Combining Theorem 3 and Lemma I, we obtain the following theorem. 

Theorem 4 (monotone higher-order inductive theorem proving with 

HSC). Let TZ be an STTRS and F' = F U {Zf ^ r|}. Suppose the following 
conditions are satisfied: (1) SN^(F), (2) HSC(F), (3) CRg(F'), (4) Z contains a 
defined symbol. Then Z « r is a monotone higher-order inductive theorem of F. 

Example 9 (monotone higher-order inductive theorem proving). Let F = (F, F, 
R) be an STTRS where F = { N, NList }, Fd = { map('^^N)^(NList^NList)^ 

q(N^N)x(N^N)^(N^N) ,(NList^NList)x(NList^NList)^(NList^NList) | 
gN^N NList . NxNList^NList | 

r(mapF)[] - [] 

_ I (map F) (x : xs) (F x) : ((map F) xs) 

j (FoG) X ^ F (G x) 

[ (F • Y) xs ^ X (Y xs) 
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HSC(T^) will be shown in Example 11. So, for the moment, suppose HSC(7?.). 
Let us consider the equation e = map {F o G) « (map F) • (map G). By 
taking an extensional form of this equation, we obtain e' = (map (Fo G)) xs « 
((map F) • (map G)) xs. Let TZ' = TZU {e'}. In the same way as Example 2, one 
can show SNg(7?.) and CRg(F'). The term map (FoG) contains defined symbols 
map and o. Therefore, by Theorem 4, e is a monotone higher-order inductive 
theorem of TZ. 

5 Decidability of Higher-Order Sufficient Completeness 

It is undecidable, in general, whether higher-order sufficient completeness holds 
for a given STTRS. In first-order term rewriting, the related property called 
quasi-reducibility plays an important role in proving the decidability of sufficient 
completeness for TRSs satisfying certain conditions [7, 18]. In order to present a 
class of STTRSs where the higher-order sufficient completeness is decidable, we 
need to extend the notion of quasi-reducibility. 

Definition 5 (argument subterms). Every constant and variable has no ar- 
gument subterms. The argument subterms of a simply typed term (s ti - • ■ 
are argument subterms of s together with the terms ti,...,tn- The set of all 
argument subterms in t is denoted by Arg(t). 

Example 10 (argument subterms). A simply typed term map F has a unique 
argument subterm F. The argument subterms of (map (s o s)) (0 : []) are s o s 
and 0 : []. 

Definition 6 (higher-order quasi-reducibility). An STTRS TZ = (F, E, 

R) is higher-order quasi-reducible (HQR(77.)) when for any term t such that 
head(t) G Fd, if every argument subterms of t of basic type is a ground con- 
structor term and of higher-order type is a variable, then t is reducible. 

We are going to show, under some conditions, that the equivalence of HQR(F) 
and HSC(F) holds and that HQR(77.) is decidable. Consequently, HSC(F) is de- 
cidable for that class of STTRSs. We first present a condition by which HQR(F) 
implies HSC(F). 

Definition 7 (elementary STTRS). The set STei of elementary types is de- 
fined inductively as: (1) B C STei, (2) if n, . . . ,r„ G F (n > 1) and tq G STei 
then Ti X • • • X r„ ^ To G STei. Let Fei = UreSTei STTRS TZ = (F, E, R) 

is said to be elementary (EL(77.)) if E^ C Fei is satisfied. 

Observe that if a set E of function symbols satisfies E^ C Fei, then all 
argument subterms of a simply typed term t are of basic type whenever head(t) 
is a constructor symbol. 

Lemma 2 (key property for ensuring HSC). Let TZ be an STTRS satisfying 
HQR(77.) and EL(77.). If t is a normal form of basic type and all variables in t 
are of higher-order type, then t either has some expanded variable occurrence or 
is a ground constructor term. 
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Proof. The proof proceeds by structural induction on t. Distinguish cases by 
head(t). □ 

The notions of higher-order quasi-reducibility and elementarity appear in [12] 
to give a sufficient condition of SC (7^). 

Theorem 5 (equivalence condition for HQR and HSC). Let TZ be an 

STTRS satisfying WN'"(7^) and EL(7^). Then, HQR(7^) iff HSC(7^). 

Proof. The “if” direction is obvious by definition. For a proof of the “only if” 
direction, let TZ = {B,S,R) and s G T’^(T', R*'). By WN'^(7^), there exists a 
normal form t of s such that t G T'^(T’, R^). Hence the result follows from 
Lemma 2 using EL(T^). □ 

Example 11 (proving higher-order sufficient completeness). We now show that 
STTRS in Example 9 is higher-order sufficiently complete. In that example, it 
has been shown SN’^(T^) holds and hence so does WN'^(T^). Clearly, EfL{TZ) and 
HQR(T^) hold. Thus by Theorem 5 it follows that TZ is higher-order sufficiently 
complete. 

The condition EL (7^) is essential, because WN'^(T^) and HQR(7?.) do not 
necessarily guarantee HSC (7^) as the following example shows. 

Example 12. Let TZ = {B, E, R) be an STTRS where 73 = { N, NPair }, S = { 

qN gN^N _|_N^N^N |:(N^N)^NPair (N^N) x (N^N)^NPair | 

(fF ^ {F,F) 

7? = < (-f a;) 0 ^ X 

[ (+ x) (sy) s ((-k x) y) 

Then, both WN'^(7^) and HQR(T^) are satisfied. The term ((-k 0), (-k 0)) is a 
normal form and contains defined symbols, while it has no expanded variables. 

We next show that higher-order sufficient completeness is decidable for a 
class of elementary STTRSs. In our decidability proof, we need to distinguish 
occurences of argument subterms. The notions of argument depth and argument 
position are introduced for that purpose. 

Definition 8 (argument depth). The argument depth, or simply the depth, 
d{t) of a simply typed term t is defined by d(t) = 1 -k max{d(s) | s G Arg(s)}, 
where max0 = 0. The argument depth d(T^) of an STTRS TZ = {B,E,R) is 
defined by d(T^) = max{d(^) | ? — > r G 7?}. 

Definition 9 (argument position). A finite sequence of pairs of positive in- 
tegers is called an argument position. The set APos(t) of argument positions in 
a simply typed term t and the subterm 7|p of 7 at p G APos(7) are defined as 
follows: 

APos(7) = {e} U [JiJij.p \ p G APos(7y)} 

t\e = t 

t\ij.p = tij\p 
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where t = ((• • • ((a In • • -tinj i 2 i • • • t 2 n 2 ) ' ' ' ) trni ■ with a e S UV. 

The prefix order > on argument positions is defined as follows: p > q iS p = q.q' 
for some q' . We write p\\q when neither p > q nor p < q. 

Example 13 (argument depth/ argument position). Let s = (map (sos)) (0 : []). 
Then the d(s) = 3 and APos(s) = {e, 11, 21, 11.11, 11.12, 21.11, 21.12}. We have 
S|p = 0 when p = 21.11. 

Let B/B' C B he the sets of basic types r such that T'^(27c, 0) is finite and 
infinite, respectively. Without loss of generality, we assume that^ there exists 
a constant of type t for each t £ B and that^ for any t G B^ all ground 
constructors of type r are constants. Clearly, for each type in r S and each 
positive integer k, there exists a ground constructor of type r whose depth is 
k] so, let SI be a simply typed term in T'^(27c, 0) such that d{Sk) = k, for each 
T G B' and k > 0. We will omit superscript of SJ, when it is clear from its 
context. 

Definition 10 (top of a term). Suppose Ec C Ee\. Let fc be a positive integer 
and t be a ground constructor term of basic type. Let pi, . . . be the list of all 
argument positions p in t satisfying |p| > fc — 1. Then the top of t of depth k is 
the term obtained from t by replacing each subterm t^p. by Xi, which is denoted 
by topj,(t). Finally, let Top}! = {topj,(t) | t G T'^(T’c,0)} for all t G B. We will 
omit superscript of Top} whenever it is clear from the context. 

Example 1) (top of a term). Let i? = { N, NList } and Ac = { 

.NxNList^NList I ^ ^ Top^^‘"‘ = {[], y : ys}, 

and Topa^'"* = {[], 0 : [], 0 : (y : ys), (s x) : [], (s z) : {w: ws)}. 

Lemma 3 (finiteness of tops). Suppose Ac C Agi. If Ac is finite, then Top} 
is finite (modulo variable renaming) for any positive integer k and t £ B. 

To present a class of STTRSs for which higher-order sufficient completeness 
is decidable, we need the notion of higher-order scheme. 

Definition 11 (higher-order scheme). An STTRS TZ = {B,S,R) is said to 
be a higher-order scheme (HS(7^)) if every rewrite rule I ^ r G R satisfies the 
properties that no higher-order variable occurs more than once in I and that for 
each subterm (s ti • • • t„) in ^ and for any i G {I, ... ,n}, U is a, variable whenever 
it is of higher-order type. 

Example 15 (higher-order scheme). STTRSs in Examples 1, 2, 3, 7, 9, and 12 
are all higher-order schemes. The STTRS in Example 6 is not. 

Lemma 4. Let TZ = {B, A, R) be an STTRS satisfying EL(T^) and HS(77.). Let 
k = d(77.) and / G Ad. Then the following two statements are equivalent: 

^ If there is no ground constructor term of type r then just ignore that type; otherwise 
take a minimal ground constructor term of type r and regard it as a constant. 

^ Regard each ground constructor term of type r as a constant. 
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1. There exists a linear simply typed term t in normal form with head(t) = / 
such that for every argument subterm s of t, we have s € Top^, if s has a 
basic type, otherwise s is a variable. 

2. There exists a simply typed term t in normal form with head(t) = / such 
that every argument subterm s of t is a ground constructor term if s has a 
basic type and is a variable otherwise. 

Combining Lemmata 3 and 4, we obtain the following theorem, which yields 
our main decidability result as a corollary with help of Theorem 5. 

Theorem 6 (decidability of HQR). Let TZ be an STTRS which satisfies 
HS(T^) and EL (7^). Then it is decidable whether TZ is higher-order quasi- 
reducible. 

Corollary 1 (decidability of HSC). Let TZ be an STTRS which satisfies 
WN'^(7?.), HS(7?.) and EL (7^). Then it is decidable whether TZ is higher-order 
sufficiently complete. 

6 Related Works 

Linestad et al. [14] extended Huet and Hullot’s inductive theorem proving proce- 
dure [5] for Nipkow’s higher-order rewriting framework [18]. They introduced the 
notion of first-order substitution - substitution that instantiates only first-order 
variables - and showed that when their inductive theorem proving procedure ter- 
minates with Proof, then the given equation s « t is initially consistent with 
a convergent HRS TZ, that is, the normal form of sa equals to that of ta for any 
first-order ground substitution cr. Clearly, the notion of first-order substitution 
is closely related to the way that we extend the notion of quasi-reducibility to 
higher-order. The notion of initial consistency is similar to the first-order induc- 
tive validity, but in our framework initial consistency is not easy to work with, 
since our notion of inductive validity starts from more abstract setting. 

Kusakari et al. [13] introduced a higher-order equational logic and its ex- 
tensional algebraic semantics based on higher-order term rewriting introduced 
by Kusakari [11] - regardless of difference of underlying formulation, Kusakari’s 
higher-order term rewriting framework is included to simply typed term rewrit- 
ing. They showed the quotient ground term algebra is an initial extensional 
model and introduced two kinds of inductive validity which correspond to first- 
order inductive theorem and monotone higher-order inductive theorem; they also 
presented inductive theorem proving framework similar to the one given in Ex- 
ample 2. In [12], Kusakari extends these results to S-expression rewriting systems 
(SRS, for short); there he also claims that any SRS TZ satisfies SC(T^) whenever 
WN(7^), EL(7^), and HQR(7^) hold. 

Apart from the one mentioned above, there is a number of works on higher- 
order extensional algebraic structures and its equational proof theory. In a survey 
[16], higher-order extensional algebraic structures and its sound and complete 
equational calculus have been given based on a higher-order language with prod- 
uct and functional types. The equational calculus given there, however, seems 
difficult to relate with simply typed term rewriting. 
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7 Conclusion 

We have proposed the notion of higher-order inductive theorem in simply typed 
term rewriting, which enables us to reason about equational specification in the 
presence of higher-order terms. It turned out that for the proof of an equation 
^ « r to be a higher-order inductive theorem of a given STTRS TZ, it suffices 
to show the following three properties on ground terms: weak normalisation of 
TZ, confluence of the extended system 7^ U ^ ?’T}, and the coincidence of 
reducibility in these two systems. There are two ways to guarantee the the third 
condition. One is to use the notion of coverset of substitutions, and the other is 
by sufficient completeness. 

Since higher-order inductive theorems are not necessarily monotone, we have 
provided a method to guarantee this property. Higher-order sufficient complete- 
ness together with termination guarantees monotonicity. We have also proved 
that higher-order sufficient completeness is decidable for the class of weakly nor- 
malizing elementary higher-order schemes. 



Acknowledgments 

The authors would like to thank Keiichiro Kusakari for pointing out that higher- 
order inductive validity does not form a congruence. Thanks are due to anony- 
mous referees for comments and suggestions on related pointers. 



References 

1. T. Aoto and T. Yamada. Proving termination of simply typed term rewriting 
systems automatically. IPSJ Transactions on Programming, 44(SIG 4 PRO 17):67- 
77, 2003. In Japanese. 

2. T. Aoto and T. Yamada. Termination of simply typed term rewriting systems 
by translation and labelling. In Proceedings of the 14th International Conference 
on Rewriting Techniques and Applications, volume 2706 of LNCS, pages 380-394. 
Springer- Verlag, 2003. 

3. T. Aoto, T. Yamada, and Y. Toyama. Proving inductive theorems of higher-order 
functional programs. In Information Technology Letters, volume 2, pages 21-22, 
2003. In Japanese. 

4. F. Baader and T. Nipkow. Term Rewriting and All That. Cambridge University 
Press, Cambridge, 1998. 

5. C. Huet and J.-M. Hullot. Proof by induction in equational theories with construc- 
tors. Journal of Computer and System Sciences, 25(2):239-266, 1982. 

6. J.-P. Jouannaud and M. Okada. Executable higher-order algebraic specihcation 
languages. In Proceedings of the 6th IEEE Symposium on Logic in Computer Sci- 
ence, pages 350-361. IEEE Press, 1991. 

7. D. Kapur, P. Narendran, and H. Zhang. On sufficient-completeness and related 
properties of term rewriting systems. Acta Informatica, 24(4):395-415, 1987. 

8. D. Kapur, P. Narendran, and H. Zhang. Automating inductionless induction using 
test sets. Journal of Symbolic Computation, 11(1-2):81-111, 1991. 




284 



Takahito Aoto, Toshiyuki Yamada, and Yoshihito Toyama 



9. J. W. Klop. Combinatory Reduction Systems. PhD thesis, Rijksuniversiteit, 
Utrecht, 1980. 

10. H. Koike and Y. Toyama. Inductionless indnction and rewriting induction. Comp- 
tuter Software, 17(6):1-12, 2000. In Japanese. 

11. K. Kusakari. On proving termination of term rewriting systems with higher-order 
variables. IPSJ Transactions on Programming, 42(SIG 7 PRO ll):35-45, 2001. 

12. K. Knsakari. Inductive theorems in SRS. Manuscript, 2003. In Japanese. 

13. K. Kusakari, M. Sakai, and T. Sakabe. Characterizing indnctive theorems by ex- 
tensional initial models in a higher-order equational logic. Distributed at IPSJ 
seminar PRO-2003-3, 2003. 

14. H. Linnestad, C. Prehofer, and O. Lysne. Higher-order proof by consistency. In 
Proceedings of the 1 6th Annual Conference on Foundations of Software Technology 
and Theoretical Computer Science, volume 1180 of LNCS, pages 274-285. Springer- 
Verlag, 1996. 

15. R. Mayr and T. Nipkow. Higher-order rewrite systems and their confluence. The- 
oretical Computer Science, 192(l):3-29, 1998. 

16. K. Meinke. Higher-order eqnational logic for specification, simulation and testing. 
In Proceedings of the 2nd International Workshp on Higher- Order Algebra, Logic 
and Term Rewriting, volume 1074 of LNCS, pages 124-143. Springer- Verlag, 1995. 

17. D. R. Musser. On proving inductive properties of abstract data types. In Proceed- 
ings of the 7th Annual ACM Symposium on Principles of Programming Languages, 
pages 154-162. ACM Press, 1980. 

18. T. Nipkow and G. Weikum. A decidability result about sufficient-completeness of 
axiomatically specified abstract data types. In Proeeedings of the 6th Gl-Conference 
on Theoretical Computer Science, volume 145 of LNCS, pages 257-267. Springer- 
Verlag, 1983. 

19. Terese. Term Rewriting Systems. Cambridge University Press, 2003. 

20. Y. Toyama. How to prove equivalence of term rewriting systems without induction. 
Theoretical Computer Science, 90(2):369-390, 1991. 

21. T. Yamada. Confluence and termination of simply typed term rewriting systems. 
In Proceedings of the 12th International Conference on Rewriting Techniques and 
Applications, volume 2051 of LNCS, pages 338-352. Springer- Verlag, 2001. 




The Joinability and Unification Problems 
for Confluent Semi-constructor TRSs 



Ichiro Mitsuhashi, Michio Oyamaguchi, 
Yoshikatsu Ohta, and Toshiyuki Yamada 

Faculty of Engineering, Mie University, 

1515 Kamihama-cho, Tsu-shi, 514-8507, Japan 
{ichiro,mo , ohta,toshi}@cs . inf o .mie-u. ac . jp 



Abstract. The unification problem for term rewriting systems (TRSs) 
is the problem of deciding, for a TRS R and two terms s and t, whether 
s and t are unifiable modulo R. Mitsuhashi et al. have shown that the 
problem is decidable for confluent simple TRSs. Here, a TRS is simple 
if the right-hand side of every rewrite rule is a ground term or a vari- 
able. In this paper, we extend this result and show that the unification 
problem for confluent semi-constructor TRSs is decidable. Here, a semi- 
constructor TRS is such a TRS that every subterm of the right-hand 
side of each rewrite rule is ground if its root is a defined symbol. We hrst 
show the decidability of joinability for confluent semi-constructor TRSs. 
Then, using the decision algorithm for joinability, we obtain a unification 
algorithm for confluent semi-constructor TRSs. 



1 Introduction 

The unification problem for term rewriting systems (TRSs) is the problem of 
deciding, for a TRS R and two terms s and t, whether s and t are unifiable 
modulo R. This problem is undecidable in general and even if we restrict to either 
right-ground TRSs [9] or terminating, confluent, monadic, and linear TRSs [7]. 
Here, a TRS is monadic if the height of the right-hand side of every rewrite rule 
is at most one [12]. On the other hand, it is known that unification is decidable 
for some subclasses of TRSs [2, 4, 5, 8, 11]. Recently, Mitsuhashi et al. have shown 
that the unification problem is decidable for confluent simple TRSs [7]. Here, a 
TRS is simple if the right-hand side of every rewrite rule is a ground term or 
a variable. In this paper, we extend the result of [7] and show that unification 
for confluent semi-constructor TRSs is decidable. Here, a semi-constructor TRS 
is such a TRS that every subterm of the right-hand side of each rewrite rule is 
ground if its root is a defined symbol. 

In order to obtain this result, we first show the decidability of joinability for 
confluent semi-constructor TRSs. Joinability of several subclasses of TRSs has 
been shown to be decidable so far [13]. Many of these decidability results have 
been proved by reducing these problems to decidable ones for tree automata, so 
that these decidable subclasses are restricted to those of right-linear TRSs. In 
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this paper, we provide a decidability result of joinability for possibly non-right- 
linear TRSs. To our knowledge, such attempts were very few so far. 

Next, we use a new unification algorithm obtained by refining those of [11, 7] 
to show the decidability of the unification problem for confluent semi-constructor 
TRSs. A main difference between the algorithms of the present paper and of the 
previous works [11,7] is that the previous ones were constructed using decision 
algorithms for joinability and reachability, but the present using only a decision 
algorithm for joinability. Besides, complex typed pairs of terms used in the pre- 
vious ones are changed to simplified typed pairs which are used in the present 
one. 

Moreover, in this paper we show that confluence is necessary to show the 
decidability of joinability for semi-constructor TRSs, that is, joinability for (non- 
confluent) linear semi-constructor TRSs is undecidable. 

2 Preliminaries 

We assume that the reader is familiar with standard definitions of rewrite systems 
(see [1, 14]) and we just recall here the main notations used in this paper. 

Let A be a set of variables, F a finite set of operation symbols graded by an 
arity function a,r: F ^ N, Fn = {f € F \ ar(/) = n}. Leaf = A U Tq the set of 
leaf symbols, and T the set of terms constructed from A and F. We use x, y, z 
as variables, b,c,d as constants, and r,s,t as terms. A term is ground if it has no 
variable. Let G be the set of ground terms and let S = T \ (G U A). Let V(s) be 
the set of variables occurring in s. The height of s is defined as follows: h(a) = 0 
if a is a leaf symbol and h(/(ti, . . . ,t„)) = 1-1- max{h(ti), . . . ,h(t„)}. The root 
symbol is defined as root (a) = a if a is a leaf symbol and root(/(ti , . . . ,tn)) = f ■ 

A position in a term is expressed by a sequence of positive integers, which 
are partially ordered by the prefix ordering < . To denote that positions u and v 
are disjoint, we use u\v. The subset of all minimal positions (w.r.t. <) of W is 
denoted by Min(W). Let G(s) be the set of positions of s. 

Let S|„ be the subterm of s at position u. We use s[t]„ to denote the term 
obtained from s by replacing the subterm S|„ by t. For a sequence (mi, • • • , u„) of 
pairwise disjoint positions and terms ri, • • • , r„, we use s[ri, • • • , rn](ui,...,ur,) to 
denote the term obtained from s by replacing each subterm S|„. by ri(l < i < n). 

A rewrite rule is defined as a directed equation a ^ f3 that satisfies a ^ X 
and V(a) A V(/3). Let ^ is the inverse of ^ U ^ and J, = 

Let 7: Si S- S2 • • • Sn be a rewrite sequence. This sequence is abbreviated 
to 7: Si Sn and 77.(7) = {^i, • • • , Un-ij is the set of the redex positions of 
7. If the root position e is not a redex position of 7, then 7 is called £-invariant. 
For any sequence 7 and position set W, 'F('y) > IT if for any v € 77(y) there 

>w 

exists a u e IT such that u > u. If 77(7) > IT, we write 7: si s„. 

Let Oa(s) = {u € 0(s) | S|tj € G}. For any set Z\ C AUF, let Oa{s) = {u £ 
0{s) I root(s|„) G A}. Let Ox{s) = 0^x}{s)- The set D of defined symbols for a 
TRS R is defined as D = {root(a) \ a ^ (3 £ R}. A term s is semi-constructor 
if, for every subterm t of s such that root(t) is a defined symbol, t is ground. 
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Definition 1. A rule a ^ (3 is ground if a,f3 € G, right-ground if /3 G G, semi- 
constructor if (3 is semi-constructor, and linear if |Ga,(a)| < 1 and \Ox{f3)\ < 1 
for every x G X. 

Example 1. Let Re = {nand(x,a;) not(x), nand(not(x), x) t, t — > nand(f,f), 
f nand(t, t)}. 

Re is semi-constructor, non-terminating and confluent [3]. We will use this 
Re in examples given in Section 3. 

Definition 2. [11] An equation is a pair of terms s and t denoted by s « t. 
An equation s ~ t is unifiable modulo a TRS R (or simply R-unifiable) if there 
exists a substitution 9 and a rewrite sequence 7 such that 7 : s9 <->* t0. Such 
9 and 7 are called an R-unifier and a proof of s « t, respectively. This notion 
is extended to sets of term pairs: for T C T x T, 0 is an i?-unifier of T if 0 is 
an i?-unifier of every pair in T. In this case, T is i?-unifiable. As a special case 
of i?-unifiability, s « t is 0-unifiable if there exists a substitution 9 such that 
s9 = t9, i.e., 0-unifiability coincides with the usual unifiability. If s J, t then s ss t 
is joinable. If s t then s « t is reachable. 

Definition 3. TRSs R and R! are equivalent if 

3 Joinability 

First, we show that the joinability and reachability problems for (non-confluent) 
semi-constructor TRSs are undecidable. 

Theorem 1. The joinability and reachability problems for linear semi-construc- 
tor term rewriting systems are undecidable. 

Proof (sketch). The proof is by a reduction from the Post’s correspondence 
problem (PCP). Let P = {{ui,Vi) G A* x A* | 1 < i < fc} be an instance 
of the PCP. The corresponding TRS Rp is constructed as follows: Let Fq = 
{c,d,$},Fi = A U {f, h},F 2 = {g}, Rp = {c ^ h(c),c ^ d,d ^ f(d)} U {d ^ 
g(M*($),u*($)),f(g(x,y)) ^ g{ui{x),v^{y)) | 1 < f < A:} U {h(g(a(x), a(y))) ^ 
g{x,y) I a G A}. u{x) is an abbreviation for ai(a 2 (- • • afc(x))) where u = 
aia 2 ---ak with oi,--- ,Ok G A. Rp is linear and semi-constructor. For Rp, 
the following three propositions (l)-(3) are equivalent: (1) c | g($,$), (2) c — >* 
g($, $), and (3) PCP P has a solution. □ 

3.1 Standard Semi-constructor TRSs 

From now on, we consider only confluent semi-constructor TRSs, for which join- 
ability is shown to be decidable. In order to facilitate the decidability proof, we 
transform a TRS into a simpler equivalent one. 

Definition 4. For TRS R, we use i?rg and i?rg to denote the sets of right-ground 
and non-right-ground rewrite rules in R, respectively. 
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If R is clear from the context, we write ^rg instead of 

Definition 5. A TRS R is standard if the following condition holds: for every 
a ^ P € R either a € Fq and h(/3) < 1 or a ^ Fo and for every u € 0(P) if 
Pju G G then /3|„ G Fq. 

Let i?o be a confluent semi-constructor TRS. The corresponding standard 
TRS i?b) is constructed as follows. First, we choose a ^ P G Rk{k > 0) that 
does not satisfy the standardness condition. If a G Fq then let {ui, ■ ■ ■ ,Um} = 
{I,--- ,ar(root(/3))} \ OpoiP), else let {ui,--- ,Um} = Min(C>G(/3)) \ OfoIp)- 
Let Rk+i = Rk \ {a ^ P} U {a ^ P[di,--- > ,u„)} U {d^ /3|„, | 

1 < z < m} where di , • • • , dm are new pairwise distinct constants which do 
not appear in Rk- This procedure is applied repeatedly until the TRS satis- 
fies the condition of standardness. The resulting TRS is denoted by R^'\ For 
example, {fi(a;) ^ g(x, g(a, b))), f 2 (x) ^ f 2 (g(c,d))} is transformed to {fi(x) ^ 
g{x, di), di — > g(a, b), f 2 (x) ^ d 2 , d 2 ^ f 2 (d 3 ), da ^ g(c, d)}. This transformation 
preserves confluence, joinability and uniflability. 

Lemma 1. 

(1) ig confluent. 

(2) For any terms s,t which do not contain new constants, s t iff s t. 

(3) For any terms s, t which do not contain new constants, s « t is i?o~unifiable 
iff s « t is i?b)_unifiable. 

The proof is straightforward, since Rq is confluent. By this lemma, we can assume 
that a given confluent semi-constructor TRS is standardized without loss of 
generality. By standardization, for any a ^ P G i?rg, a G Fq or P G Fq holds 
and h(/3) < 1. However, by the transformation algorithm given in Section 3.2, 
the heights of the right-hand sides of ground rules (called Rq type rules later) 
may increase. This is the only exceptional case. 



3.2 Adding Ground Rules 

The joinability for right-ground TRSs is decidable [10]. In this paper, we show 
that the joinability for confluent semi-constructor TRSs is decidable, by reducing 
to the joinability for right-ground TRSs. 

Let Ri be a confluent TRS and i ?2 be such a TRS that Then, 

obviously Ri U i?2 is equivalent to Ri and confluent. Thus, even if we add pairs 
of joinable terms of Ri to Ri as new rewrite rules (called shortcuts), confluence, 
joinability and uniflability properties are preserved. Note that reachability is 
not necessarily preserved. Now, we show that the joinability of confluent semi- 
constructor TRSs reduces to that of right-ground TRSs by adding new flnite 
ground rules. For this purpose, we need some definitions. 

Definition 6. A rule a ^ P has type C if a G Fq,P ^ Fq and Ojj\f^{P) = 0, 
and has type Fq if a, P G Fq. Let Rr = {a^PGR\a^P has type t}. 
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That is, Rc is the subset of i?rg satisfying that for every rule a ^ (3 € Rc, cx is 
a constant, and [3 is non-constant and contains no defined non-constant symbol. 
Henceforth, we assume that R \ Rc is standard. 

Definition 7. 

{ w + max{hD(si) | 1 < f < n} (if s = /(si, • • • , Sn),n > 0, f € D) 

1 -I- max{hD(si) | 1 < f < n} (if s = /(si, • • • , s„), n > 0, / ^ £>) 

0 (if s G Leaf) 

where w = 1 -I- 2max{h(/3) \ a ^ P G R}. Note that we give weight w to 
each defined non-constant symbol and 1 to each other non-constant symbol and 
define new heights derived from these weights. We define Hd(s) = {hD(s|«) | u G 
(^(s)}!!!, which is a multiset of heights of all subterms of s. Here, we use {• • • }m 
to denote a multiset and U to denote multiset union. For TRS Re of Example 1, 
w = 3 and HD(nand(not(a;), x)) = {0, 0, 1, 4}m. 

Let <C be the multiset extension of the usual relation < on N and let ^ 
be <C U =. Let #(s) = (HD(s),g(s)). Here, function g(s) returns a natural 
number corresponding to s uniquely, and we assume that the ordering derived 
by this function is closed under context, i.e., for any terms r, s,t and any position 
u G 0{r), if g(s) < g(t) then g(r[s]„) < g(r[t]„). Such a function g is effectively 
computable [15]. In order to compare #(s) and #(t), we use lexicographic order 
<iex- Note that <iex is a total order. A term sq is minimum in set Z\ iff sq G 
and #(so) = Min({#(s') | s' G L\}). 

Definition 8. 



(1) Function linearize(s) linearizes non-linear term s in the following manner. 
For each variable occurring more than once in s, the first occurrence is not 
renamed, and the other ones are replaced by new pairwise distinct vari- 
ables. For example, linearize(nand(x, a;)) = nand(x, a;i). If function linearize 
replaces a; by a;i, then we use a; = a;i to denote the replacement relation. 

(2) For set ACT, Psub(Z\) = {s|„ \ s G A,u G 0{s) \ {e}}. 

(3) For set ACT, Bud(^, i?c) = Fb U Psub(Z\ U {/3 \ a^ P G Rc})- Note that 

if A C Fq then Bud(Z\, Rc) = Bud(0, Rc)- 

(4) Substitution cr is joinability preserving under relation = for TRS i?rg if 

xa x' a whenever x = x' . In this case, we write cr G| (=, Rrg)- 

(5) For TRS R and term a, R{a) = {P \ a ^ P G R}. 

(6) Let {si, • • • , Sm} = Rc{d) and {ui,- - - ,m„} = Min(Ui<j<mC’Fo (si))- Let dj 
be the minimum term in {si\uj G Fb j 1 < f < m}, 1 < j < n. Then we define 

Normalize((i, i?c) = {d ^ si[di,--- , i^n](„i,. U {dj ^ I 1 < * < 

m, 1 < j < n,dj yf Si|„ .}. For example, Normalize(t, {t ^ not(not(t)), t ^ 
not(f)}) = {t — > not(f),f ^ not(t)}. 



The proofs of all the following lemmata of this paper are given in [15]. 



Lemma 2. Let R \ Rc be standard. Let 



P G Rrg, 0 : X 



T and 



aO. Let ol = linearize(a). Then, there exists a substitution a : V(a') 



Bud({s},i?c) such that s 



Rr 



aO, Pa 



PO and a G| (=, Rrg)- 



a a 
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By Lemma 2, for a rewrite sequence d cxO — > P9, there exists a'a 

such that d Oi'a ctO and j3a fid. So, if we add a new ground 

rule d ^ fia to R, then we have d fiO for R' = R,-g U {d ^ Pa}. Thus, 
by adding shortcut rules such as d ^ Pa, we can omit applications of a ^ P 
which is a non-right-ground rule. Using this technique, the following algorithm 
takes as input a standard semi-constructor TRS R^'^ and produces as output an 
equivalent semi-constructor TRS satisfying that if d ^p(i) s then d (f) s. 

Rrg 

We call a quasi-right- ground TRS, hereafter. 

function MakeQuasiRightGround(i?) 

R := Determinize(i?); 
repeat 
R' := R; 

R := Determinize(AddShortcuts(i?')) 
until R = R'-, 
return R 

function AddShortcuts(R) 

R' := R; 

for each a ^ P G i?rg do 
of := linearize(of); 
for each d G Fq, a : V(a') 
if d a'a then R' 

rtig 

return R' 

function Determinize(i?) 

while there exists d such that |i?c(d)| > 1 do 

R:= RU Normalize(d, Rc) \{d^s|d^sG Rc} 

return R 

Example 2. For TRS i?e of Example 1, MakeQuasiRightGround(i?e) first com- 
putes Determinize(i?e)- It returns the same i?e as output. Next, AddShort- 
cuts(i?e) is called. Since t ^ nand(f, f), nand(x, a;) ^ not(a;) S i?e, a new short- 
cut rule t ^ not(f) is added to R^. Similarly, f ^ not(t) is added. Thus, 
AddShortcuts(i?e) = Rf where i?' = i?e U {t not(f),f ^ not(t)}. Next, 
Determinize(i?') is called and returns the same R! as output. Then, AddShort- 
cuts(R') is called. Note that R!q = {t — > not(f),f ^ not(t)}. AddShortcuts(i?') 
returns the same R! and also calls Determinize(i?'). Then, the algorithm halts. 
Let be this result: = i?e U {t ^ not(f),f ^ not(t)}, which will be used 

in later examples. 

We apply this algorithm to standard TRS. But by an application of this 
algorithm, the heights of some right-hand side terms of type C rules may become 
greater than 1. This algorithm satisfies the following lemmata. 

Lemma 3. MakeQuasiRightGround is terminating. 



^ Bud(0, Rc) such that cr Gj, (=, i?rg) do 
:= i?' U {d ^ Pa} 
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Lemma 4. Let = MakeQuasiRightGround(i?^'^). 

(1) If c? ^D(i) s then d (fj s. 

Rrg 

(2) C 

Corollary 1. 

(1) is confluent (since is confluent). 

(2) c ifl(i) d iff c i„(f) d. 

rtrg 

(3) s fa t is i?*^'^-uniflable iff s « t is i?(^^-uniflable. 

3.3 Auxiliary Terms 

We have shown that all rewrite sequences from every constant in (i-e., 

d ^D(i) s) can be obtained by using only right-ground rules (i.e., d s). 

Now, we want to extend this result to that for rewrite sequences from any term. 
For this purpose, we need the notion of auxiliary terms. For A Q G 

function Aux(Z\) 
repeat 
A' := A; 

A := AddTerms(A') 

until A = A'\ 
return A 

function AddTerms(A) 

A' := A; 

for each a ^ P G Rrg do 

a' := linearize(a); 

for each s G A, p £ Or>\Fo{^)^ 

a : V(q;') ^ Bud({s|p}, such that a Gj, (=,i?^g ) do 
if S|p (f) a'a then A' := A' U {s[/3cr]p} 

Rrg 

return A' 

Example 3. In TRS R^^ of Example 2, 

Aux({not(nand(t, t))}) = AddTerms({not(nand(t, t))}) 

= {not(nand(t, t)), not(not(t))}. 



Lemma 5. For any ground term s, 

(1) For any s' G Aux({s}), Aux({s'}) C Aux({s}). 

(2) Aux({s}) is flnite and computable. 

(3) For any s' G Aux({s}), s' s. 

(4) If s t then there exists s' G Aux({s}) such that s' t. 

Rrg 
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We call s' in Lemma 5(4) an auxiliary term of (s,f). This will be used to 
transform non-right-ground rewrite sequence to right-ground rewrite sequence. 

Example 4- For rewrite sequence not(nand(t, t)) — >*g not(nand(not(f), not(f))) 
not(not(not(f)), we can choose not(not(t)) € Aux({not(nand(t, t))}) and not 
(not(t)) — s-rg not(not(not(f))). 

3.4 Joinability for Confluent Semi-constructor TRSs 

Lemma 6. For any ground terms s and t, s t iff there exists s' G Aux({s}), 
t' G Aux({t}) such that s' t' . 

rtrg 

By Lemma 5(2) and decidablity of s' t' [10], s J,D(i) t is decidable for 
ground terms s and t. If s or t is non-ground, s t is equivalent to sa ta 
where cr : V(s) U V(t) ^ is a bijection and is a set of new pairwise distinct 
constants which do not appear in Thus, we have the following theorem. 

Theorem 2. The joinability for confluent semi-constructor term rewriting sys- 
tems is decidable. 

By confluence, we have the following corollary too. 

Corollary 2. The word problem for confluent semi-constructor term rewriting 
systems is decidable. 

4 i?-Unification Algorithm 

In this section. We give an i?-unification algorithm for confluent semi-constructor 
TRSs. Henceforth, we consider a fixed confluent semi-constructor TRS R. We 
assume that R is quasi-right-ground. 

Definition 9. [11] Let £(s) = {t \ t s}. 

It is decidable for any terms s and s' , whether s' G >C(s) holds or not by 
Corollary 2. If term sq is minimum in C{s) then sq is obviously minimum in 
C{sq). We say that sq is minimum, in the sense that sq is minimum in C{so). 

Lemma 7. Let sq be minimum and let 7 : sq t. Then, 7 ^( 7 ) > Oreafiso). 
(That is, only leaf symbols of sq are rewritten in 7 .) 

Example 5. nand(t, x) is a minimum term. OLea/(nand(t, a;)) = {1, 2}. Only leaf 
symbols of nand(t,a;) are rewritten in a rewrite sequence such as nand(t, a;) 
nand(not(f), a;) ^ nand(not(not(t)), a;) ^ . 

Lemma 8. The minimum term in C{s) is computable. 
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4.1 Locally Minimum Unifiers and Typed Pairs of Terms 

Definition 10. Let F C T x T. A substitution 0 is a locally minimum i?-unifier 
of T if 0 is an i?-unifier of T and x9 is minimum for every x G Dom{9). 

Our unification algorithm takes a pair s « t as input and produces a locally 
minimum unifier 0 of s « t iff s « t is i?-unifiable. Different types of pairs are 
distinguished by using the notation s t> t and s t , which are said to be of 
type [> and of type vf, respectively. These definitions are similar to those of [11]. 
Type \>u was used in [11], but parameter U is not essential, so omitted. 

Definition 11. Let Eq = {s ~ t, s \> t, s «vf t, fail | s,t € T}. Here, fail is 
introduced as a special symbol and we assume that there exists no i?-unifier 
of fail [11]. For F C Eq and substitution 9, let F9 = {s0 « | s « t G 

F}U {s0 [>t0|s[>tGF}U {s0 «vf t9 I s «vf t € F}U {fail | fail € F}. 

i?-unifiers of these new pairs are required to satisfy additional conditions 
derived from these types. 

Definition 12. A substitution 6* is a (locally minimum) i?-unifier of s [> t if 0 
is a (locally minimum) i?-unifier of s « t and there exists a rewrite sequence 

>Ox{t) 

7 : s9 -^* r <->* t9 for some term r. 

A substitution 0 is a (locally minimum) i?-unifier of s «vf t if 0 is a (locally 
minimum) i?-unifier of s « t and there exists 7: s9 t9 such that Ox{t) is a 
frontier in 7, i.e., u\v or v < u holds for any u G E-i'j) and v G Ox{t). 

Note that if t ^ S,s [> t can be replaced by s « t and excluded from Eq. 

Example 6. Let Re^ be the TRS of Example 2. 

1 . nand(f, not(not(t))) t> nand(y, not(y)) is i?e^^-unifiable, since any substitution 
9 satisfying j/0 = f is an Lunifier: nand(f, not(not(t))) ^ nand(f, not(f)). 

2. nand(t, not(t)) «vf nand(not(f), y) is i?e^^-unifiable, since any substitution 9 
satisfying y9 = f is an Re -unifier: nand(t, not(t)) ^ nand(not(f), not(t)) ^ 
nand(not(f), f). 

To convert typed pairs into the untyped ones, we define the function Core. 

Definition 13. [11] For F C Eg, let Core(F) = {sR:!t|sR:!tGFors>tG 
F or s t G F}U {fail | fail G F}. 

Definition 14. [11] Substitutions 9 and 9' are consistent if x9 = x9' for any 
X G Dom{9) n Dom{9'). 
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4.2 Outline of il-Unification Algorithm 

We now give our i?-unification algorithm for confluent semi-constructor TRSs 
which is based on the unification algorithm in [11] applicable to confluent right- 
ground TRSs. The algorithm in [11] is constructed by using algorithms of decid- 
ing joinability and reachability for right-ground TRSs. But, the algorithm given 
in this section uses only the algorithm in Section 3 which decides joinability of 
semi-constructor TRSs. Thus, our unification algorithm can be considered as a 
refined version of that of [11] in the sense that no algorithm of deciding reach- 
ability of semi-constructor TRSs is needed, and some primitive operations are 
unified or simplified. 

Each primitive operation <I> of our algorithm takes a finite set of pairs r C Eg 
and produces some E C Eq, denoted by E E. This operation is called 
a transformation. Such a transformation is made nondeterministically: E 
Ei,E T 2 , • • • , r Ek are allowed for some A, • • • , A C Eq. In this case, 
we write ^{E) = {A, • • • , A} regarding d) as a function. Let be the reflexive 
transitive closure of Our algorithm starts from A = {so ~ fo} and makes 
primitive transformations repeatedly. We will prove that there exists a sequence 
A =^|> E such that E is 0-uniflable iff A is R-uniflable. 

Our algorithm is divided into three stages. Stage I repeatedly decomposes a 
set of term pairs E into another one E by guessing a rewrite rule applied at the 
root position of a non-variable subterm of some term appearing in E. Finally, 
Stage I transforms E into a set of type vf pairs A> which becomes an input of 
the next Stage II. Stage II is similar to a usual 0-uniflcation algorithm and stops 
when a set of type vf pairs E is in solved form as explained later. The Final 
Stage only checks 0-uniflability of E in solved form. 

We give the definition related to validity of the algorithm. 

Definition 15. [11] Let d): V{Eq) V{V{Eo)) be a transformation. Then, d) 
is valid iff the following validity conditions (VI) and (V2) hold. For any E C Eg, 

let $(A = {A,--- ,A}. 

(VI) If 0 is a locally minimum R-unifler of E, then there exists an z (1 < f < n) 
and a substitution O' such that O' is consistent with 0 and O' is a locally 
minimum Aunifler of A- 

(V2) If there exists an z (1 ^ * ^ ^) such that Core(A) is Auniflable, then 
Core(T) is Auniflable. 

4.3 Stage I 

The transformation <I>i of Stage I takes as input a finite subset of pairs E C Eq 
and has a finite number of nondeterministic choices E A, • • • , E A 
for some A, • • • , A V Eg. We consider all possibilities in order to ensure the 
correctness of the algorithm. 

We begin with the initial E = {sq « to} and repeatedly apply the transfor- 
mation <l>i until the current E becomes 0 or contains either fail or at least one 
type vf pair. This condition is called the stop condition of Stage I and defined 
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as T n {fail, s «vf t \ s,i G T} 7 ^ 0 or T = 0. If T satisfies this condition, then 
r becomes an input of the next stage. 

To describe the transformations used in Stage I, we need the following aux- 
iliary function: 

Decompose(s, t) = |s|i [> | 1 < t < fc, G 5} U |s|i ^ t\i \ 1 < i < k,t\i ^ S} 

where k = ar(root(s)). 

In Stage I, we nondeterministically apply Conversion or choose an element 
p in r \ X X X and apply one of the following transformations (TT, GG, VG, 
VT) to r according to form of the chosen p:=s«tor = s[>t. 



s\t 


S G X 


S 


TT TT VT 


G 


TT GG VG 


X 


VTVG - 



If no transformation is possible, T {fail}. We write s ~ t if s « t or t « s. 
We say that p = s ~ t satisfies the TT condition if s, t ^ X and either s ^ G 
or t ^ G, the VT condition if s G V and t G S, the VG condition if s G V and 
t G G, and the GG condition if s, t G G. Similarly, we say that p= s\>t satisfies 
the TT condition if s ^ V and t G S, and the VT condition if s G V and t G S. 
Note that if p = s [> t then t G S. 

Let r' = r\ {p}. In the following explanations, we assume that 0 is a locally 
minimum unifier of p and we list the conditions that are assumed on a proof 7 
of p. When applying the transformations we of course lack this information and 
so we just have to check that the conditions of the transformations are satisfied. 



Conversion. If F C {x r,r x,x [> r \ r G T \ Gj, then 

r Gonv(T) 

where Gonv(T) = {x «vf r\x:^rGr or r^^xGF or x\>rGF}. Note that 
Gonv(T) satisfies the stop condition of Stage I. 

In the following examples, we use the TRS Re of Example 2. 

Example 1. {nand(y, not(y)) « y} {y «vf nand(i/, not(2/))| 



TT Transformation. 

1. If p = s ~ t satisfies the TT condition, we choose one of the following three 
cases. Let k = ar(root(s)). We guess that 0 is a locally minimum i?-unifier 
of p and that there exists a joinable sequence 7 : { t9. 

(a) If root(s) = root(t), then 

r' u {p| r' u {s\i \ i<i <k} 

In this transformation, we guess that 7 : s9 I t9 is e-invariant. 
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(b) If s ^ G, then we choose a fresh variant of a rule a ^ f3 G R that satisfies 
root(s) = root(a) and 

r' U {p} r' U Decompose(s, a) U {/3 « t} 

In this transformation, we guess that aa —>■ Pa is the leftmost e-reduction 
step in 7 : s6 aa ^ Pa [ tO for some substitution cr (where the sub- 
sequence s9 aa is e-invariant). 

(c) If s G G, then we choose a term s' G Aux({s}) and 

i. If root(s') = root(t), 

r' u M r' u {sj, -pi\i<i<k} 

ii. We choose a rule a ^ P G Rrg that satisfies s' P and 

r' U M r U {/3 « t} 

and then do a single TT transformation on t « /? as in l.a or l.b. 
Note that it is decidable whether or not s P [10]. In this trans- 
formation, we guess that aa ^ P \s the rightmost e-reduction step 
in 7 : s aa ^ P [tO for some substitution a. 

In this transformation, we guess an auxiliary term s' . Then, we can 
assume s | s' tO. 

2. If p = s [> t satisfies the TT condition, we choose one of the following three 

>Ox(t) 

cases. We guess that there exists a sequence 7 : s9 r t9 for some 

term r. 

(a) If root(s) = root(t), then 

r' U {p} r' U Decompose(s, t) 

and if s G G, then apply the VG transformation described later to every 
s' Ki X G Decompose(s, t) n (G x A). In this transformation, we guess 

>Ox(i) 

that 7 : s9 r t9 is e-invariant. 

(b) If s ^ G, we choose a fresh variant of a rule a ^ P G R that satisfies 
root(s) = root(a) and 

r' U {p} r' U Decompose(s, a) U {/3 [> t} 

In this transformation, we guess that aa —>■ Pa is the leftmost e-reduction 

>Ox(t) 

step in 7 : s9 aa Pa r t9 for some substitution a 

(where the subsequence s9 aa is e-invariant). 

(c) If s G G, then we choose a term s' G Aux({s}) and 

i. If root(s') = root(t). 



r' U {p} r' U Decompose(s',t) 
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ii. We choose a rule a ^ f3 G i?rg that satisfies s' /?, root(/3) = 
root(t) and 

r' U {p} r' U {P [> t} 

and then do a single TT transformation on P \> t as in 2. a. 

Again it is decidable whether or not s' P [10]. In this transfor- 
mation, we guess that aa ^ P is the rightmost £-reduction step in 

>Ox(t) 

7 : s' aa ^ P r t6 for some substitution a. Thus, the 

>Ox{t) 

subsequence 7 '(of 7 ) : P r t9 is £-invariant. This ensures 

that case 2. a of the TT transformation is applicable to P [> t. 

Example 8. In case l.a of the TT transformation, 

{nand(not(a:), t) « nand(?/, not(?/))} {not(x) « j/,t « not(j/)} 

By choosing rule nand(x,a;) ^ not(x) and applying case l.b, we get 

{nand(not(x), t) « nand(y, not(j/))} 

Decompose(nand(not(a;),t), nand(a;', x')) U {not(x') « nand(?/, not(j/))} 
= {not(x) « x', t « x' , not(x') « nand(?/, not(i/))} 

By choosing auxiliary term t and rule t ^ not(f) and applying case l.c, we get 

{t « not(y)} {not(f) « not(j/)} 

After that we apply case l.a of the TT transformation to not(j/) « not(f) and 
get {j/ « f}. 



GG Transformation, li p = s ~ t satisfies the GG condition and s J, t then 

r' U {p} =^>$1 r' 

Note that it is decidable whether or not s | t. 

Example 9. 

{nand(t, not(f)) « f} 0 

Note that nand(t, not(f)) J, f holds, e.g., nand(t, not(f)) ^ nand(not(f), not(f)) - 
not(not(f)) ^ not(t) ^ f. 



VG Transformation. If p = x ~ s satisfies the VG condition, 

E' U {p} E' a 

where, a = {x s'} and s' is the minimum term in C{s). 

Example 10. By choosing p = p « f and s' = f (note that f is a minimum term 
with respect to the ordering for the function ^), 

{y « f, nand(p, not(p)) « f| {nand(f, not(f)) « f| 
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VT Transformation. 

1. If p = a; ~ s satisfies the VT condition, we choose a position v G 0{s) such 
that S|„ G S and one of the following two cases. 

(a) We choose a rule a ^ (3 G R that satisfies root(s|„) = root (a) and 

r' U {p} r' U Decompose(s|„, a) U {s[/3]„ « a;} 

In this transformation, we guess the sequence 7: s6 s6[aa]v 
s0[/3(t]„ J, x9 for some cr and v G Min(7^(7)). 

(b) We choose a constant c and 

r' U {p} T' U {a; « s[c]„, c « S|^} 

and if u = e, we apply the VG transformation to a; « c. In this transfor- 
mation, we guess that x6\y = c and c J, s6\y. 

2. If p = x\> s satisfies the VT condition, we choose a constant c and a position 
V G 0{s) such that s|„ G S. Then 

r' U {p} r' U {a; > s[c]„, c [> S|^} 

If s[c]„ G G, then x\> s[c]„ is replaced by a; « s[c]„. If u = £, then we apply 
the VG transformation to a; « c. 

Example 11. By choosing v = e and constant t and applying case l.b, we get 
{y « nand(p, not(p))} {y « t, t « nand(y, not(y))} 

After that we apply the VG transformation to y « t. 



4.4 Stage II and Final Stage 

Stage II and Final Stage are the same as those of [11]. Thus, we describe only 
definitions necessary to prove correctness of the algorithm. Let d>2 be the one 
step transformation of Stage II. We write E ^$2 E if ^ 2 {E) 9 E. 

Definition 16. [11] Let /x = {x « y | cc «vf y G T} and It = {s «vf t G 
E \ s ^ X or t ^ X}. Let be the equivalence relation derived from Ex, 
i.e., the reflexive, transitive and symmetric closure of Ex- Let [a;]~j.j^ be the 
equivalence class of x. 

Definition 17. [6] E is in solved form if for any x Wvf s and y «vf t in Ep with 
a; ~rx V,s = t holds. 



The stop condition of Stage II is defined as either E = {fail} or for any 
s «vf t G It, s G a and E is in solved form. 
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Correctness condition of <&: 

(1) is terminating, and 

(2) Jo = {sq « to} is i?-unifiable iff there exist A and A such that A 

A A) A satisfies the stop condition of Stage I, A satisfies the one 
of Stage II, and A is 0-unifiable. 

Now, we can deduce the main theorem. 

Theorem 3. The unification problem for confluent semi-constructor term 
rewriting systems is decidable. 

5 Conclusion 

In this paper, we have shown that the joinability and unification problems for 
confluent semi-constructor TRSs are decidable. But, reachability remains open. 
Obviously, the class of semi-constructor TRSs is a subclass of strongly weight- 
preserving TRSs, for which some sufficient conditions to ensure confluence are 
given in [3] . 
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Abstract. Over the past decade, researchers have found context-sensitive term- 
rewriting semantics to be powerful and expressive tools for modeling program- 
ming languages, particularly in establishing type soundness proofs. Unfortunately, 
developing such semantics is an error-prone activity. To address that problem, 
we have designed PUT Redex, an embedded domain-specific language that helps 
users interactively create and debug context-sensitive term-rewriting systems. We 
introduce the tool with a series of examples and discuss our experience using it 
in courses and developing an operational semantics for R®RS Scheme. 



1 Introduction 

Since the late 1980s researchers have used context-sensitive term-rewriting systems 
as one of their primary tools for specifying the semantics of programming languages. 
They do so with good reason. Syntactic rewriting systems have proved to be simple, 
flexible, composable, and expressive abstractions for describing programming language 
behaviors. In particular, the rewriting approach to operational semantics described by 
Felleisen and Hieb [1] and popularized by Wright and Felleisen [2] is widely referenced 
and used. 

Unfortunately, designing context-sensitive rewriting systems is subtle and error- 
prone. People often make mistakes in their rewriting rules that can be difficult to detect, 
much less correct. Researchers have begun to acknowledge and respond to this diffi- 
culty. Xiao, Sabry, and Ariola [3], for instance, developed a tool that verifies that a 
given context-sensitive term-rewriting system satisfies the unique evaluation context 
lemma. In the same spirit, we present PUT Redex, a domain- specific language for 
context-sensitive reduction systems embedded in PUT Scheme [4]. It allows its users 
to express rewriting rules in a convenient and precise way, to visualize the chains of 
reductions that their rules produce for particular terms, and to test subject reduction 
theorems. In section 2 of this paper we briefly explain context-sensitive term rewriting, 
in section 3 we introduce the rewrite language through a series of examples, and in sec- 
tion 4 we discuss how the language helps with subject reduction proofs. We discuss our 
experience in section 5, related work in section 6, and conclude with section 7. 

V. van Oostrom (Ed.): RTA 2004, LNCS 3091, pp. 301-311, 2004. 

(gl Springer- Verlag Berlin Heidelberg 2004 
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e = (e e) I X I V ((A (x) e) v) e[v/x] (/3„) 

V = (A (x) e) I / (fv)h^ 5(f,v) {5v) 



Plotkin 

e 1 -^ e' 
e ^ e' 

ie e") ^ (e' e") 



(v e) ^ (v e') 



Felleisen/Hieb 

£=[]|(v£)|(£e) 

if e e , then E[e\ E[e] 



Fig. 1. Specifying an evaluator for A« 



2 Context-Sensitive Rewriting: A Brief Overview 



In his seminal paper [5] on the relationship among abstract machines, interpreters and 
the A-calculus, Plotkin shows that an evaluator specified via an abstract machine defines 
the same function as an evaluator specified via a recursive interpreter. Furthermore, the 
standard reduction theorem for a A-calculus generated from properly restricted reduc- 
tion relations is also equivalent to this function. As Plotkin indicated, the latter definition 
is by far the most concise and the easiest to use for many proofs. 

Figure 1 presents Plotkin’s A« -calculus. The top portion defines expressions, values, 
and the two basic relations (/?„ and (5„). The rules below on the left are his specification 
of the strategy for applying those two basic rules in a leftmost-outermost manner. 

In a 1989 paper, Felleisen and Hieb [1] develop an alternate presentation of Plotkin’s 
A-calculi. Like Plotkin, they use /?„ and 5y as primitive rewriting rules. Instead of in- 
ference rules, however, they specify a set of evaluation contexts. Roughly speaking, an 
evaluation context is a term with a hole at the point where the next rewriting step must 
take place. Placing a term in the hole is equivalent to the textual substitution of the 
hole by the term [6]. The right side of the bottom half of figure 1 shows how to specify 
Plotkin’s evaluator function with evaluation contexts. 

While the two specifications of a call-by-value evaluator are similar at first glance, 
Felleisen and Hieb’s is more suitable for extensions with non-functional constructs (as- 
signment, exceptions, control, threads, etc). Figure 2 shows how easy it is to extend the 
system of figure 1 (right) with assignable variables. Each program is now a pair of a 
store and an expression. The bindings in the store introduce the mutable variables and 
bind free variables in the expression. When a dereference expression for a store vari- 
able appears in the hole of an evaluation context, it is replaced with its value. When an 
assignment with a value on the right-hand side appears in the hole, the let-bindings are 
modified to capture the effect of the assignment statement. The entire extension con- 
sists of three rules, with the original two rules included verbatim. Felleisen and Hieb 
also showed that this system can be turned into a conventional context-free calculus like 
the A-calculus. 
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p = {{store {xv) ...) e) 
e =■■■ as before • • • | {let {{x e)) e) \ {set! x e) 
P = {{store {xv) ...) E) 

E = ■ ■ ■ as before • • • | {let {{x E)) e) | {set! x E) 



{{store {xi vi) . . 


■ {X2 V2) {X 3 V3) . 




E[X 2 ]) -> 






{{store {xi vi) . . 


. (X2 V2) {X 3 V3) . 




E[V 2 ]) 







{(store (xi vi) . . . {X2 V2) fe V3) . . . ) 
E[{set! X2 V4)]) ^ 

{{store (xi vi) . . . {X2 V4) (X3 V3) . . . ) 
£[V 4 ]) 



{{store (xi vi) . . . ) E[{let (fe V2)) e)]) ^ 

{{store {xi vi) . . . fe V2)) E[e[x3 / X2]]) if e e', then P[e) — > P[e'{ 

where xz is fresh 



Fig. 2 . Specifying an evaluator for As 



Context-sensitive term-rewriting systems are ideally suited for proving the type 
soundness of programming languages. Wright and Felleisen [2] showed how this works 
for imperative extensions of the A-calculus and a large number of people have adapted 
the technique to other languages since then. 

Not surprisingly, though, as researchers have modelled more and more complex 
languages with these systems, they have found it more and more difficult to model them 
accurately, as two of the authors discovered when they used it to specify the kernel of 
Java [7]. 

3 A Language for Specifying Context-Sensitive Rewriting 

To manage this complexity, we have developed PLT Redex, a declarative domain- 
specihc language for specifying context-sensitive rewriting systems. The language is 
embedded in MzScheme [4], an extension of R®RS Scheme. MzScheme is particularly 
suitable for our purposes for two reasons. First, as an extension of Scheme, its basic 
form of data includes S-expressions and primitives for manipulating S-expressions as 
patterns. Roughly speaking, an S-expression is an abstract syntax tree representation 
of a syntactic term, making it a natural choice for manipulating program text. Second, 
embedding PLT Redex in MzScheme gives PLT Redex programmers a program devel- 
opment environment and extensive libraries for free. 

The three key forms PLT Redex introduces are language, red, and traces (we type- 
set syntactic forms in bold and functions in italics). The first, 

(language {<non-terminal-name> <rhs-pattern> . . . ) . . . ) 

specihes a BNF grammar for a regular tree language. Each right-hand side is written in 
PLT Redex’s pattern language (consisting of a mixture of concrete syntax elements and 
non-terminals, roughly speaking). With a language dehnition in place, the red form is 
used to dehne the reduction relation: 

(red <language-name> <lhs-pattern> <consequence>) 
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(define A„ 


e = v\ (e e) \ (+ e e) \ X 


(language (e v (e e) (-1- e e) x) 


V = (A (x) e) 1 number 


(v (lambda (x) e) number) 


c=\] 


(c hole 


1 (v c) 1 (c e) 


(v c) (c e) 


(+ V c) 1 (-1- c e) 


(-1- V c) (-1- c e)) 


X £ Vars 


(x (variable-except lambda +))) 


c[(-|- ^n‘2})] 


(red A„ (in-hole c_l (+ number_l number_2)) 


c[^ni + U2^] 


(replace (term c_i) (term hole) 

(-1- (term numberj) (term number.2)))) 


c[(A {x) e) v)] 


(red Xv (in-hole C-1 ((lambda (x_i) e_i) v_i)) 


^ c[e[Vv]] 


(replace (term c_i) (term hole) 
(substitute (term x_i) 
(term v_i) 
(term e.l))))) 



Fig. 3. Xv semantics 






Reduction Graph 
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Fig. 4. Reduction of a simple Xv term and of J2 



Syntactically, it consists of three sub-expressions: a language to which the reduction ap- 
plies, a source pattern specifying which terms the rule matches, and Scheme code that, 
when evaluated, produces the resulting term as an S-expression. Finally, the function 
traces accepts a language, a list of reductions, and a term (in Scheme terms, an arbi- 
trary S-expression). When invoked, it opens a window that shows the reduction graph 
of terms reachable from the initial term. All screenshots in this paper show the output 
of traces. The remainder of this section presents PLT Redex via a series of examples. 

3.1 Example: A„ 

Our first example is Plotkin’s call-by-value A-calculus, extended with numbers and ad- 
dition. Figure 3 shows its definition in Felleisen and Hieb’s notation on the left, and in 
PLT Redex, on the right. 

The A„ language consists of abstractions, numbers, applications, sums, and variable 
references, and has only two rewriting rules. As figure 3 shows, the traditional mathe- 
matical notation translates directly into PLT Redex: each line in the BNF description of 
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Xv ’s grammar becomes one line in language. The pattern (variable-except lambda +) 
matches any symbol except those listed (in this case, lambda and +). 

The reduction rules also translate literally into uses of the red form. The first re- 
duction rule defines the semantics of addition. The pattern in the second argument to 
red matches expressions where a syntactic term of the form (-f number number) is the 
next step to be performed. It also binds the pattern metavariables cJ, number J, and 
number J2 to the context and -f’s operands, respectively. In general, pattern variables 
with underscores must match the non-terminal before the underscore. 

The third subexpression of red constructs a new S-expression where the addition 
operation is replaced by the sum of the operands, using Scheme’s + operator (numeric 
constants in S-expressions are identical to the numbers they represent). The in-hole pat- 
tern is dual to the replace function. The former decomposes an expression into a context 
and a hole, and the latter composes an expression from a context and its hole’s new con- 
tent. The term form is PUT Redex’s general-purpose tool for building S-expressions. 
Here we use it only to dereference pattern variables. The second reduction rule, /?„, 
uses the function substitute to perform capture-avoiding variable substitution.' Figure 4 
shows a term that reduces to 92 on the left and a term that diverges on the right. Ar- 
rows are drawn from each term to the terms it can directly reduce to; the circular arrow 
attached to the 17 term indicates that it reduces to itself. In general, the traces function 
generates a user-specified number of terms and then waits until the “Reduce” button is 
clicked. 



3.2 Example: \s 

Figure 5 contains PLT Redex dehnitions for As in parallel to the dehnitions given in 
figure 2. The first rules uses an ellipses pattern to match a sequence of any length, 
including zero, whose elements match the pattern before the ellipses. In this case, the 
pattern used to match against the store is a common idiom, matching three instances 
of a pattern with ellipses after the first and the last. This idiom is used to select an 
interesting S-expression in a sequence; in this case it matches xJ to every variable in 
the store and vJ to the corresponding value. To restrict the scope of the match, we use 
the same pattern variable, xJ, in both the store and in the expression. This duplication 
constrains S-expressions matched in the two places to be structurally identical, and thus 
the variable in the store and the variable in the term must be the same. 

In figure 5 we also see term used to construct construct large S-expressions rather 
than just to get the values of pattern metavariables. In addition to treating pattern vari- 
ables specially, term also has special rules for commas and ellipses. The expression 
following a comma is evaluated as Scheme code and its result is placed into the S- 
expression at that point. Ellipses in a term expression are duals to the pattern ellipses. 
The pattern before an ellipsis in a pattern is matched against a sequence of S-expressions 
and the S-expression before an ellipsis in a term expression is expanded into a sequence 



* Currently, substitute must be defined by the user using a more primitive built-in form called 
subst whose details we elide for space. We intend to eliminate this requirement in a future 
version of PLT Redex; see section 7. 
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(define As 
(language 

(p ({store (xv) . ..) e)) 

(e ■■■ as before ■ ■ ■ 

(let ({x e)) e) 

(set! X e)) 

(x (variable-except 
lambda set! let)) 

(PC ((store (xv)...) EC)) 
(EC ■■■ as before ■ ■ ■ 

(set! X EC) 

(let ((xEC)) e))) 



(red As 

((store (xM v_fl) . . . (xj vj) (xj> vj>) . . .) 

(in-hole EC-1 xJ)) 

(term ((store (xjx v_fl) . . . (xJ vJ) (xjb vjb) . . .) 

,(replace (term EC-1) (term hole) (term vJ))))) 

(red As 

((store (x-a V-o) . . . (xJ v-old) (x-b vjb) . . .) 

(in-hole EC-1 (set! xJ V-new))) 

(term ((store (xji V-a) . . . (xJ V-new) (x-b vJb) . . .) 
{replace (term EC-1) (term hole) (term V-new))))) 

(red As 

((store (x-a v_a) . . . ) 

(in-hole EC-1 (let ((xJ vJ)) e-1))) 

(let ((new-x (variable-not-in (term (x_a . . . )) (term x_i)))) 
(term ({store (x_a v_a) . . . (,new-x vJ)) 

{replace (term EC-1) (term hole) 

(substitute (term xJ) new-x (term e-1))))))) 



Fig. 5. As semantics 




Fig. 6. Reduction of a simple As term 



of S-expressions and spliced into its context.^ Accordingly, the first rule produces a term 
whose store is identical to the store in the term it consumed. 

The hnal rule also introduces another PLT Redex function, variable-not-in, which 
takes an arbitrary syntactic term and a variable name and produces a new variable whose 
name is similar to the input variable’s name and that does not occur in the given term. 

Figure 6 shows a sample reduction sequence in As using, in order, a let reduction, 
a set! reduction, a /3„ reduction, and a dereference reduction. 

3.3 Example: Threaded A® 

We can add concurrency to As with surprisingly few modifications. The language 
changes as shown in figure 7. A program still consists of a single store, but instead 
of just one expression it now contains one expression per thread. In addition, each ref- 
erence to EC in the As reductions becomes TC. No other changes need to be made, and 
in particular no reduction rules need modification. 

^ With the exception of ellipsis and pattern variables, term is identical to Scheme’s quasiquote. 
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(define t-Xs 
(language 

(p {{store (x v) . . . ) {threads e ...))) 
{PC {{store (x v) . . . ) TC)) 

{TC {threads e ... EC e ...)) 

■■■ as before • • • ) 




Fig. 7. Threaded Xs 



Fig. 8. Multiple reductions 



{{store (x 1)) 
{threads 
{set! X {+ X 1)) 
{set! X (-1- X — i)))) 



On the left, a threaded Xs term and on the right, boxes containing 
x’s value and the number of subexpressions remaining in each thread 

Fig. 9. Reduction summary using traces 



^ O O Reduction Graph 
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To express non-determinism, PLT Redex’s pattern language supports ambiguous 
patterns by finding all possible ways a pattern might match a term. Consider the TC 
evaluation context in figure 7, which uses the selection idiom described in section 3.2. 
Unlike that example, nothing restricts this selection to a particular thread, so PLT Redex 
produces multiple matches, one for each reducible thread. The traces window reflects 
this by displaying all of the reductions that apply to each term when constructing the 
reduction graph, as shown in figure 8. 

Due to the possible interleaving of multiple threads, even simple expressions re- 
duce many different ways and gaining insight from a thicket of terms can be difficult. 
Accordingly, traces has an optional extra argument that allows the user to provide an 
alternative view of the term that can express a summary or just the salient part of a 
term without affecting the underlying reduction sequence. Figure 9 shows an example 
summarized reduction sequence. 



4 Subject Reduction 

A widely used proof technique for establishing type soundness [2] is based on context- 
sensitive rewriting semantics. Each proof has a key subject-reduction lemma that guar- 
antees that the type of a term before a reduction matches the type after the reduction. 
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Reduaion Graph 



((laoibda (x (nuot •> num)) 1) 



((laff.bda (x (num -> num) ) 1) 

((lanibda (x (nusi -> nun)) x) ^ (lanbda (x nun) x)) 
(lambda (x num) x))) 



^ f Janbda (x num) x) | 



Fig. 10. Subject fails in second reduction 



PLT Redex provides support for exploring and debugging such subject-reduction 
lemmas. The function traces/predicate allows the user to specify a predicate that imple- 
ments the subject of the subject-reduction lemma. Then, traces/predicate highlights in 
red italics any terms that do not satisfy it. 

As an example, figure 10 shows a reduction sequence for a term where the third 
step’s type does not match the first step’s. In this particular example, the user swapped 
the order of arguments to substitute, making the j3y reduction incorrectly substitute the 
body of the function into the argument. 

5 Experience Using PLT Redex 

As the examples in section 3 suggest, PLT Redex is suitable for modeling a wide variety 
of languages. That suggestion has been borne out in practice as we have developed a 
reduction semantics for R®RS Scheme that captures the language in as much detail as 
the R^RS formal semantics does [8, section 7.2]. Our experience developing one facet 
of the semantics highlights the strength of PLT Redex. In evaluating a procedure call, 
the R^RS document deliberately leaves unspecified the order in which arguments are 
evaluated, but specifies that [8, section 4.1.3] 

the effect of any concurrent evaluation of the operator and operand expressions 
is constrained to be consistent with some sequential order of evaluation. The 
order of evaluation may be chosen differently for each procedure call 

In the formal semantics section, the authors explain how they model this ambiguity: 

[w]e mimic [the order of evaluation] by applying arbitrary permutations per- 
mute and unpermute ... to the arguments in a call before and after they are 
evaluated. This is not quite right since it suggests, incorrectly, that the order of 
evaluation is constant throughout a program . . .. [8, Section 7.2]. 

We realized that our rules, in contrast, can capture the intended semantics using 
nondeterminism to select the argument to reduce. Our initial, incorrect idea of how to 
capture this was to change the definition of expression evaluation contexts (otherwise 
similar to those in Ag) so that they could occur on either side of an application: 

(language (EC (e EC) (EC e)) ■ ■ ■ as before ■ ■ •)) 

When we visualized a few reductions using that modification using traces, we quickly 
spotted an error in our approach. We had accidentally introduced non-deterministic 
concurrency to the language. The term 
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(define rS 
(language 

(inert (mark v) 

e) 

(EC ((mark EC) inert) 
(inert (mark EC)))) 
■ ■ ■ as before ■ ■ ■ ) 



(red rS (in-hole PC-1 (e-1 inert-1)) 

(replace (term PC-1) (term hole) 

(term ((mark e-1) inert-1)))) 

(red r5 (in-hole PC-1 (inert-1 e-1)) 

(replace (term PC-1) (term hole) 

(term (inert-1 (mark e-1))))) 

(red r5 (in-hole C-1 ((mark (lambda (x-1) e-1)) (mark V-1))) 
(replace (term c-1) 

(term hole) 

(substitute (term x-1) (term v-1) (term e_i))))) 



Fig. 11. Reduction rules for unspecified application order 



(let {{x 1)) (((lambda (y) (lambda (z) x)) 

(set! x(-\- X 1))) 

(set! X (— X 7)))) 

should always reduce to 7. Under our semantics, however, it could also reduce to 2 and 
0, just as the term in figure 9 does. 

Experimenting with the faulty system gave us the insight into how to fix it. We 
realized that the choice of which term in an application should be ambiguous, but once 
the choice had been made, there should not be any further ambiguity. Accordingly, we 
introduced a mark in application expressions. The choice of where to place the mark is 
arbitrary, but once a mark is placed, evaluation under that mark must complete before 
the other subexpression of an application is evaluated. 

Figure 1 1 shows the necessary revisions to As to support R^RS-style procedure 
applications. We introduce the non- terminal inert to stand for terms where evaluation 
does not occur, i.e., unmarked expressions or marked values. The top two reductions on 
the right-hand side of the figure non-deterministically introduce marks into applications. 
The evaluation contexts change to ensure that evaluation only occurs inside marked 
expressions, and application changes to expect marked procedures and arguments. 

In addition to providing a graphical interface to reduction graphs, PLT Redex also 
provides a programatic interface to the reduction graphs as a consequence of its being 
embedded in PLT Scheme. This interface let us build large automatic test suites for the 
R^RS semantics system among others that we could run without having to call traces 
and produce visual output. We found these test cases to be invaluable during devel- 
opment, since changes to one section of our semantics often had effects on seemingly 
unrelated sections and inspecting visual output manually quickly became infeasible. 

We gained additional experience by using PLT Redex as a pedagogical tool. The 
University of Utah’s graduate-level course on programming languages introduces stu- 
dents to the formal specification of languages through context-sensitive rewriting. Stu- 
dents model a toy arithmetic language, the pure A-calculus, the call-by-value A-calculus 
(including extensions for state and exceptions), typed A-calculi, and a model of Java. 

In the most recent offering of the course, we implemented many of the course’s 
reduction systems using PLT Redex, and students used PLT Redex to explore specific 
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evaluations. Naturally, concepts such as confluence and determinism stood out particu- 
larly well in the graphical presentation of reduction sequences. In the part of the course 
where we derive an interpreter for the A-calculus through a series of “machines,” PLT 
Redex was helpful in exposing the usefulness of each machine change. 

As a final project, students implemented context-sensitive rewriting models from 
recent conference papers as PLT Redex programs. This exercise provided students with 
a much deeper understanding of the models than they would have gained from merely 
reading the paper. For a typical paper, students had to fill significant gaps in the formal 
content (e.g., the figures with grammars and reduction rules). This experience suggests 
that paper authors could benefit from creating a machine-checked version of a model, 
which would help to ensure that all relevant details are included in a paper’s formalism. 

6 Related Work 

Many researchers have implemented programs similar to our reduction tool. For ex- 
ample, Elan [9], Maude [10], and Stratego [11] all allow users to implement term- 
rewriting systems (and more), but are focused more on context-free term-rewriting. 
The ASFh-SDF compiler [12] has strong connections to PLT Redex but is geared to- 
wards language implementation rather than exploration and so makes tradeoffs that do 
not suit the needs of lightweight debugging (but that make it a better tool for building 
efficient large-scale language implementations). 

Our reduction tool is focused on context-sensitive rewriting and aims to help its 
users visualize and understand rewriting systems rather than employ them for some 
other purpose. The in^ graphical interpreter for interaction nets [13] also helps its users 
visualize sequences of reductions, but is tailored to a single language. 

7 Conclusion and Future Work 

Our own efforts to develop novel rewriting systems and to teach operational semantics 
based on term-rewriting to students have been aided greatly by having an automatic 
way to visualize rewriting systems. We are confident that PLT Redex can be useful to 
others for the same purposes. 

Our implementation is reasonably efficient. The test suite for our “beginner” lan- 
guage semantics, a system with 14 nonterminals with 55 total productions and 52 re- 
duction rules that models a reasonable purely-functional subset of Scheme intended for 
beginning programmers, runs 90 reductions in just over 2 seconds on our test machine. 
This represents a huge slowdown over the speed one would expect from a dedicated 
interpreter, but in practice seems quick enough to be useful. 

We plan to extend PLT Redex to allow simple ways to express the binding structure 
of a language, which will allow us to synthesize capture-avoiding substitution rules 
automatically. We also plan to add more support for the reduction rules commonly used 
in the literature, such as source patterns that match only if other patterns did not. 

Our implementation of PLT Redex is available as an add-on package to DrScheme 
(http://www.drscheme.org). Choose DrScheme’s Filejlnstall .pit File menu item and 
supply this url: http://people.cs.uchicago.edu/%7Ejacobm/plt/pltredex.plt 
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